Reflections on Trusting Trust - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Reflections on Trusting Trust

Description:

Reflections on Trusting Trust Ken Thompson Overview Introduction Cutest Program Stage 1 Stage 2 Stage 3 Moral Conclusion Introduction The author s ... – PowerPoint PPT presentation

Number of Views:510
Avg rating:3.0/5.0
Slides: 17
Provided by: NKU
Category:

less

Transcript and Presenter's Notes

Title: Reflections on Trusting Trust


1
Reflections on Trusting Trust
  • Ken Thompson

2
Overview
  • Introduction
  • Cutest Program
  • Stage 1
  • Stage 2
  • Stage 3
  • Moral
  • Conclusion

3
Introduction
  • The authors acknowledgement
  • UNIX
  • Background
  • Presentation

4
Cutest Program
  • Stage 1
  • Shortest self-reproducing program
  • Write a source program that will produce an exact
    copy of its source
  • Figure 1
  • Produces a self-reproducing program
  • Can be easily written by another program
  • Can contain baggage that will be reproduced along
    with main algorithm
  • Source Code next slide

5
Source Code
6
Cutest Program
  • Stage 2
  • C Compiler written in C
  • Chicken and egg problem
  • Compilers written in their own language
  • Example from C compiler
  • Figure 2
  • C compiler interprets the character escape
    sequence
  • Figure 3 and 4
  • Figure 3 adds vertical tab \v
  • Binary version does not know about \v add ASCII
    value
  • if(c v)
  • return(11)

7
Stage 2 Example
  • Figure 2
  • c next( )
  • if(c ! \\)
  • return(c)
  • c next( )
  • if(c \\)
  • return(\\)
  • if(c n)
  • return(\n)
  • Figure 3
  • c next( )
  • if(c ! \\)
  • return(c)
  • c next( )
  • if(c \\)
  • return(\\)
  • if(c n)
  • return(\n)
  • if(c v)
  • return(\v)

8
Stage 2 Cont.
  • Figure 4
  • c next( )
  • if(c ! \\)
  • return(c)
  • c next( )
  • if(c \\)
  • return(\\)
  • if(c n)
  • return(\n)
  • if(c v)
  • return(11)

9
Stage 3
  • Takes the code and modifies it
  • Figure 5
  • High level control of the C compiler
  • compile is called to compile next line of code
  • Figure 6
  • Modified to mis-compile source when a pattern is
    matched
  • Not deliberate would be a bug. Since deliberate
    should be called Trojan horse.

10
Source Code
  • Figure 5
  • compile(s)
  • char s
  • ?
  • Figure 6
  • compile(s)
  • char s
  • if(match(s, pattern))
  • compile (bug)
  • return
  • ?

11
Results of Code
  • The bug planted would match code in UNIX login
    command
  • Replacement code will miscompile login command
  • Giving access to login
  • Accepting the intended encrypted password
  • OR
  • Accepting a particular known password

12
Source Code
  • Figure 7
  • compile(s)
  • char s
  • if(match(s, pattern1))
  • compile (bug 1)
  • return
  • if(match(s, pattern2)) ?
  • compile (bug 2)
  • return
  • ?

13
Stage 3 Cont.
  • Figure 7 adds a second Trojan horse .
  • Aimed for the C compiler
  • Figure 7 shows the use of stage 1 by applying
    self-reproducing program
  • This is done by compiling modified source with
    the C compiler
  • Produces bugged binary
  • The binary is installed as the official C
  • Remove the bugs from the compiler
  • New binary will reinsert the bugs whenever
    compiled

14
Moral
  • Cant trust code you didnt write
  • Source level verification will not protect us
    from using untrusted code
  • Could be done with any program-handling program
  • Assembler
  • Loaders
  • Hardware microcode
  • Level of program gets lower bugs will be harder
    to detect

15
Moral Cont.
  • Criticizes press on handling of hackers
  • Author states these acts by kids are vandalism t
    best
  • States inadequacy of law that saves hackers from
    real prosecution
  • Companies are pressing to update criminal code
  • 2 major issues
  • Press, TV, and etc. call these hackers whiz
    kids
  • The acts performed will be sending them to jail
    for many years

16
Conclusion
  • Creating bugs and viruses can be simple
  • There is a cultural gap
  • Kids have no idea these are serious acts
  • Social Stigma
  • Breaking into computers should be the same as
    breaking into homes

Questions ?
Write a Comment
User Comments (0)
About PowerShow.com