Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Thompson's Trojan Compiler

Tags:

unix

compiler-construction

I'm trying to grasp a better understanding of Thompson's Trojan Compiler (discussed in his 1984 ACM Turing Award speech "Reflections On Trusting Trust"), and so far this is how I understand it:

"The original login program for Unix would accept whatever login and password the root instructed it to. It would only accept a certain password, known only by the man who wrote the system. This could let him log in to the system as root."

Is this the right concept? I'm not 100% sure if I understand the whole concept.

If someone could make it clearer, it would help.

(See also Bruce Schneier Countering "Trusting Trust")

like image 342
KP65 Avatar asked Apr 23 '09 13:04

KP65

2 Answers

The original login program accepts matching pairs of name and password from a file.

The modification is to add a super-powerful password, compiled into the login program, that allows root access. In order to ensure that this code isn't visible when reading the login program, there's a change to the compiler to recognize this section of the login program, i its original form and compile it into the super-powerful password binary. Then, in order to hide the existence of this code in the compiler, there needs to be another change to the compiler that recognizes the section of the compiler that the first change was added to and output the modified form.

Once the changed compiler code exists, you can compile the compiler and install it in the standard place, and then revert the source code for both the login program and the compiler to their unmodified form. The installed compiled compiler will then take the unchanged login program and output the insecure form. Similarly, the installed compiler will compile the unmodified compiler source code into the devious variant. Anyone inspecting the source code for either one will agree that there's nothing unusual in them.

Of course, it only works until the source code for either program evolves far enough that the modified compiler no longer recognizes it. Since the modified compiler's source code is no longer present, it can't be maintained, and (assuming that the compiler and login continue to evolve) it will eventually stop producing the insecure output.

like image 200
PanCrit Avatar answered Oct 20 '22 15:10

PanCrit

I had never encountered the concept before, but this is pretty interesting - I found a neat write-up at http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php

like image 41
Christoffer Avatar answered Oct 20 '22 16:10

Christoffer
Sign in to Comment

Related questions

How to capture full output of `git clone`?
Are there any resources for becoming a Cygwin "power user"? [closed]
Make java program return value to calling shell script
Gearman , php extension problem : Class 'GearmanWorker' not found in .. using terminal but works on browser
What are options for writing an SVG-based desktop application?
run bash script without input
Alternative to ping [closed]
In place untar and delete tar (or tar.gz)
trap not working in shell script?
Does Linux provide a monotonically increasing clock to applications
ELF file headers
What UNIX commands support coloured output?
PROGNAME(x) references in manpages -- What does the digit in ()s mean? [duplicate]
Why is sys+user > real in "time command"?
What do the suffixes "+" and "-" after the job id of background jobs mean?
Scope of variables in KSH
Bash script to change parent shell directory [duplicate]
Bash - How to print multi line strings (with '\n') using printf
How to executing cron one minute after midnight every day?
Maximum buffer length for sendto?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!