Section 10.3 Ken Thompson Cracks the Navy

   


10.3 Ken Thompson Cracks the Navy

The U.S. Navy has a postgraduate school in beautiful Monterey, California. They're not just a bunch of beach bums, though. There is serious research going on, including some in Computer Science. One of the areas of research was computer security and they spent considerable time modifying UNIX to be more secure. Naturally, the military is very concerned about security and these guys were sharp. When they were ready, they contacted Ken Thompson, the co-inventor of UNIX, and proudly invited him to try to break in. He took them up on the invitation. Some weeks later Ken demonstrated that he was "in" as root. Put yourself in the place of the sailors and think of possible types of exploits.

What Ken did was to modify the C compiler to recognize a particular code pattern in the source of the login program. He then sent an "update tape" that included this Trojan horse and waited for the Navy to recompile the system. Receiving update tapes from Bell Labs was routine, as was periodically recompiling the system.


Although I do not know, they might have studied the source on the update tape and might even have run diff on it. Compiler code is notoriously complex and they may not have been able to tell that the change was other than a bug fix. At some point, Ken got even more devious. Although an expert in compiler construction could have found this problem, consider his next demonstration.

Recall that Ken had modified the C compiler to deliberately miscompile the login program to plant a Trojan. He then added a second Trojan to the C compiler that added both this first Trojan and this new second Trojan to the compiled binary of the C compiler even if the source did not contain these two Trojans. Thus, after this second version of the C compiler was built, the two Trojans could be removed from the source to the C compiler. Now, all subsequent versions of the C compiler would have this Trojan even though the source of the C compiler (and login) contained no Trojans.

The only way to detect this Trojan is to disassemble the compiled C compiler and spot the Trojan in the binary, a virtually impossible task. Ken discussed this exploit in his very famous ACM Turing Award lecture, "Reflections on Trusting Trust."[1]

[1] Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761 763. ACM is the Association for Computing Machinery. A copy of the lecture may be read from www.acm.org/classics/sep95/.

The more levels of "indirection" between the source of an exploit and the target it affects, the harder it is to detect because you are thinking, "How could this change affect security?" Exploits in compilers, loaders, and microcode are nearly impossible to detect. Clearly the more indirect exploits are much harder to design too.

The only realistic way to detect or prevent this exploit is to obtain your system from a trusted supplier and hope that they are careful to ensure that no Trojans have been allowed in. Certainly, anyone can obtain the GNU C compiler directly from the Free Software Foundation.


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net