
Ken Thompson's theoretical C compiler backdoor - rms
http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php
======
aston
Not theoretical. Check out the (awesome) paper: "Reflections on Trusting
Trust"

<http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf>

edit: It's linked in the Scienceblogs article, but it ought to be the main
feature.

~~~
jey
Here's the talk in HTML: <http://www.acm.org/classics/sep95/>

------
mojuba
You can fight this by adding a code into the compiler source you have that
detects a backdoor pattern in the resulting binary and wipes it off or just
refuses to compile.

In response, Ken Thompson designs a compiler that detects the backdoor
detection pattern in the compiler source and excludes that part from the
resulting binary.

Until some clever guy writes a separate program that checks some critical
binaries in the system for backdoors.

Ken Thompson's response is obvious: prevent such a program from properly
detecting backdoors. The compiler becomes aware of such patterns too.

A clever guy writes a login program in the UNIX shell language [substitute
with Lisp, Perl, Python or God forbid, Java]

Ken Thompson's compiler then becomes aware when it compiles the shell
interpreter (or whatever compiler/VM).

Shortly before the end of the days Ken Thompson's compiler becomes aware of
itself and whatever it compiles and screams "Mommy, I exist!"

(Actually, to prevent Ken Thompson's compiler to become self-aware, you may
write a manual for system administrators in human language on how to manually
detect malicious code in a compiler binary and how to modify it with some
binary editor.)

~~~
mojuba
Binary editor? Written in C? Oops... :)

------
jward
When I was working at the University of Alberta last year, Ken Thompson came
and gave an informal talk for anyone who was interested and he talked about
this.

The gist if you don't want to read the article is you put code into your c
compiler that checks to see if it's making the login command and then compiles
in a backdoor. Nasty in its own right, but then you also put in code so if you
recompile the compiler, it adds the code to do this (add the backdoor and add
itself to the c compiler) back in. Then you take the code out of the source
file and recompile.

Apparently it almost made it out into production Unix, accidentally. The only
thing that stopped it was they had an error in their code that added an extra
space each compile cycle and one of the QA guys caught it.

------
far33d
The ACM Turing award lectures are wonderful. But this one is the best of all.

