Re: getting around Ken Thompson's compiler Trojan
From: Alun Jones (alun@texis.com)
Date: 01/23/03
- Next message: stanislav shalunov: "Re: getting around Ken Thompson's compiler Trojan"
- Previous message: David Magda: "Re: privacy on Unix-servers"
- In reply to: Chris Marshall: "getting around Ken Thompson's compiler Trojan"
- Next in thread: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
- Reply: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: alun@texis.com (Alun Jones) Date: Wed, 22 Jan 2003 23:13:28 GMT
In article <d06acab6.0301221311.396f70b1@posting.google.com>,
christopherlmarshall@yahoo.com (Chris Marshall) wrote:
>First, write a program to obfuscate the source code of any other program
>by randomizing the variable and function names, as well as the names
>of the source code files.
>
>Use the corrupted gcc to build the obfuscated gcc. The "am I compiling
>the compiler?" code in the corrupted gcc won't detect that it is
>compiling the compiler and will produce an uncorrupted binary of the
>compiler.
It is all going to depend on how the "am I compiling the compiler" test works.
First, you're going to see the object files built with some token parsing,
resulting in an object file that likely contains exactly the same object code
as the un-obfuscated version produced, with a symbol table for external
linking. If the test checks this object code, your obfuscations do nothing of
any use, because the test looks for the object code, not the source.
You'd have to have a fair good idea as to what part of the object code was
being compared, and find some way to alter it significantly - such that the
optimiser, for instance, would not optimise it back to the original object
code. So, you'd probably have to have the code in question do the same
operation, but in a completely new way that the optimiser does not see as
equivalent.
For instance, let's say the original source code says:
y=y*6;
You could replace that with:
y=(y<<1) + (y<<2);
However, there are some environments where the latter is actually a faster
operation than the former, and the optimiser will already have made the same
replacement! So, you've got a battle on your hands to not only guess which
part to alter (or find some optimiser-defeating way of altering every line of
code), but also find a way to rewrite it that the optimiser will be incapable
of detecting.
Hand-compiling the compiler might be quicker.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.
- Next message: stanislav shalunov: "Re: getting around Ken Thompson's compiler Trojan"
- Previous message: David Magda: "Re: privacy on Unix-servers"
- In reply to: Chris Marshall: "getting around Ken Thompson's compiler Trojan"
- Next in thread: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
- Reply: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
