Reflections on Trusting Trust

1
Reflections on Trusting Trust

• Ken Thompson

2
Overview

• Introduction
• Cutest Program
• Stage 1
• Stage 2
• Stage 3
• Moral
• Conclusion

3
Introduction

• The authors acknowledgement
• UNIX
• Background
• Presentation

4
Cutest Program

• Stage 1
• Shortest self-reproducing program
• Write a source program that will produce an exact
  copy of its source
• Figure 1
• Produces a self-reproducing program
• Can be easily written by another program
• Can contain baggage that will be reproduced along
  with main algorithm
• Source Code next slide

5
Source Code
6
Cutest Program

• Stage 2
• C Compiler written in C
• Chicken and egg problem
• Compilers written in their own language
• Example from C compiler
• Figure 2
• C compiler interprets the character escape
  sequence
• Figure 3 and 4
• Figure 3 adds vertical tab \v
• Binary version does not know about \v add ASCII
  value
• if(c v)
• return(11)

7
Stage 2 Example

• Figure 2
• c next( )
• if(c ! \\)
• return(c)
• c next( )
• if(c \\)
• return(\\)
• if(c n)
• return(\n)

• Figure 3
• c next( )
• if(c ! \\)
• return(c)
• c next( )
• if(c \\)
• return(\\)
• if(c n)
• return(\n)
• if(c v)
• return(\v)

8
Stage 2 Cont.

• Figure 4
• c next( )
• if(c ! \\)
• return(c)
• c next( )
• if(c \\)
• return(\\)
• if(c n)
• return(\n)
• if(c v)
• return(11)

9
Stage 3

• Takes the code and modifies it
• Figure 5
• High level control of the C compiler
• compile is called to compile next line of code
• Figure 6
• Modified to mis-compile source when a pattern is
  matched
• Not deliberate would be a bug. Since deliberate
  should be called Trojan horse.

10
Source Code

• Figure 5
• compile(s)
• char s
• ?

• Figure 6
• compile(s)
• char s
• if(match(s, pattern))
• compile (bug)
• return
• ?

11
Results of Code

• The bug planted would match code in UNIX login
  command
• Replacement code will miscompile login command
• Giving access to login
• Accepting the intended encrypted password
• OR
• Accepting a particular known password

12
Source Code

• Figure 7
• compile(s)
• char s
• if(match(s, pattern1))
• compile (bug 1)
• return
• if(match(s, pattern2)) ?
• compile (bug 2)
• return
• ?

13
Stage 3 Cont.

• Figure 7 adds a second Trojan horse .
• Aimed for the C compiler
• Figure 7 shows the use of stage 1 by applying
  self-reproducing program
• This is done by compiling modified source with
  the C compiler
• Produces bugged binary
• The binary is installed as the official C
• Remove the bugs from the compiler
• New binary will reinsert the bugs whenever
  compiled

14
Moral

• Cant trust code you didnt write
• Source level verification will not protect us
  from using untrusted code
• Could be done with any program-handling program
• Assembler
• Loaders
• Hardware microcode
• Level of program gets lower bugs will be harder
  to detect

15
Moral Cont.

• Criticizes press on handling of hackers
• Author states these acts by kids are vandalism t
  best
• States inadequacy of law that saves hackers from
  real prosecution
• Companies are pressing to update criminal code
• 2 major issues
• Press, TV, and etc. call these hackers whiz
  kids
• The acts performed will be sending them to jail
  for many years

16
Conclusion

• Creating bugs and viruses can be simple
• There is a cultural gap
• Kids have no idea these are serious acts
• Social Stigma
• Breaking into computers should be the same as
  breaking into homes

Questions ?