Re: getting around Ken Thompson's compiler Trojan

From: Barry Margolin (barmar@genuity.net)
Date: 01/23/03 

From: Barry Margolin <barmar@genuity.net>
Date: Wed, 22 Jan 2003 23:29:53 GMT

In article <sAFX9.52$wc3.38152369@newssvr11.news.prodigy.com>,
Alun Jones <alun@texis.com> wrote:
>It is all going to depend on how the "am I compiling the compiler" test works.
> First, you're going to see the object files built with some token parsing,
>resulting in an object file that likely contains exactly the same object code
>as the un-obfuscated version produced, with a symbol table for external
>linking. If the test checks this object code, your obfuscations do nothing of
>any use, because the test looks for the object code, not the source.

The recognizer obviously can't look for "exactly the same object code",
since then it would fail to work if you were compiling a new revision of
the compiler. The recognizer clearly has to perform a fuzzy match, because
the goal is that the Trojan be propagated to all future versions of the
compiler. Not only does it have to do a fuzzy recognition, but it also has
to be able to figure out where to reinsert the Trojan code in the new
version.

It's always been clear to me that this is just a thought experiment,
intended to express the theoretical limits of security. It's not a
realistic project, because the technology it requires to recognize the
compiler and reinsert the Trojan after significant changes doesn't exist.
I can't imagine that a Trojan that was insert into with GCC 1.x would still
work in GCC 2.x. 

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Relevant Pages

  • Re: Linking with static library
    ... this static C lib to generate object code, and link against that object code in Delphi using $L compiler directive? ... If BCC can read the lib at all, then the object code it generates will still expect to be linked to it by the linker later. ... Likewise, when the C compiler compiles the code that references things implemented in the lib file, the implementations from the lib will not get copied into the new file. ... A lib file is just a collection of object files. ...
    (alt.comp.lang.borland-delphi)
  • Re: Method to force keeping of source
    ... the source would be the same as the compiler generated ... I think a backup methodology applied completely and ... "Other methods" include backing up source files. ... object files wouldn't increase the size of the object code much. ...
    (comp.lang.cobol)
  • Re: getting around Ken Thompsons compiler Trojan
    ... write a program to obfuscate the source code of any other program ... >compiling the compiler and will produce an uncorrupted binary of the ... resulting in an object file that likely contains exactly the same object code ... optimiser, for instance, would not optimise it back to the original object ...
    (comp.security.unix)
  • Re: Perfrom Thru
    ... > If the compiler can detect that some source code has generated object ... Rememer that Unisys MCP/AS object code segments are *never* loaded into ... memory until such time as control is passed to them, ... as to whether that code segment will be resident at ...
    (comp.lang.cobol)
  • Re: Summary: translation units, preprocessing, compiling and linking?
    ... > converted into a translation unit, then object code, and then linked. ... Each translation unit is converted into one object file. ... When the compiler gets its hands on 'ab.cc' what does it see? ...
    (comp.lang.cpp)