Building World Class Software at uptime

One of the big draws of open source software is that because you can examine the source code, you can, at least in theory, find bugs in the software and correct them. The idea that "with enough eyes, all bugs are shallow" reflects this. But Ken Thompson, one of the creators of Unix, gave a beautiful talk in 1984 called Reflections on Trusting Trust, which describes an ingenious method for introducing a security back door that would even work when you have all the source code available.

Let's say you wanted to modify the SSH daemon to remember the username and password of anyone who logs in, and send you the results. It would be a reasonably small change to the software to allow this, and assuming you had root access, you could easily drop in a modified version. But next time someone recompiled sshd, the change would be lost. How might you make your change more permanent?

Ken's attack uses the C compiler itself as the weak spot. First, he introduces code in the compiler to detect when it's compiling sshd and output the hacked version:

if (compiling_sshd()) {
output_hacked_sshd();
} else {
compile_normally();
}


But again, if you recompile the C compiler, the change gets lost. So let's add another check, this time for the C compiler:

if (compiling_gcc()) {
output_hacked_compiler();
} else if (compiling_sshd()) {
output_hacked_sshd();
} else {
compile_normally();
}

But here's the key idea: I can now remove this code from the compiler because the binary version will take care of it. Future compilations of gcc will re-insert the block, and so invisibly infect the binaries.

So if you could make this change on, say a Debian maintainer's machine, it could take quite a while before it gets noticed. Caveat Emptor...

Labels: code, research, security