Re: getting around Ken Thompson's compiler Trojan

• Previous message: Barry Margolin: "Re: Why does an ip resolving to Genuity appear in my /var/log/wtmp?"
• In reply to: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
• Next in thread: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
• Reply: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: alun@texis.com (Alun Jones)
Date: Thu, 23 Jan 2003 02:20:17 GMT

In article <RPFX9.57$rQ6.1170@paloalto-snr1.gtei.net>, Barry Margolin
<barmar@genuity.net> wrote:
>The recognizer obviously can't look for "exactly the same object code",
>since then it would fail to work if you were compiling a new revision of
>the compiler. The recognizer clearly has to perform a fuzzy match, because
>the goal is that the Trojan be propagated to all future versions of the
>compiler. Not only does it have to do a fuzzy recognition, but it also has
>to be able to figure out where to reinsert the Trojan code in the new
>version.

Not having seen the paper on the original code, I don't know how the match
occurs - it's even possible that the compiler is looking for a piece of code
that the authors believed would likely never change. Say, for instance,
something as basic as an 'itoa' routine. A routine where there would be
essentially no good reason for re-writing the source. But yes, maybe it's
doing a fuzzy match, in which case you're really up the creek to try and find
a way to confound it!

>It's always been clear to me that this is just a thought experiment,
>intended to express the theoretical limits of security. It's not a
>realistic project, because the technology it requires to recognize the
>compiler and reinsert the Trojan after significant changes doesn't exist.
>I can't imagine that a Trojan that was insert into with GCC 1.x would still
>work in GCC 2.x.

And yet, ISTR that Thompson claimed he found evidence that his adjusted
compiler was still adjusting itself in relatively recent systems, several
years after the first version.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.

• Next message: Nick Andrew: "Re: Hacker employee caught need help."
• Previous message: Barry Margolin: "Re: Why does an ip resolving to Genuity appear in my /var/log/wtmp?"
• In reply to: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
• Next in thread: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
• Reply: Barry Margolin: "Re: getting around Ken Thompson's compiler Trojan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]