That time the creator of UNIX built a Trojan Horse that let him log in to any UNIX machine.
And nobody knew about it for years.
Back in 1984, the Association for Computing Machinery presented Ken Thompson with a “Turing Award” for his many contributions to the world of computing.
Ken worked on Multics, co-created UNIX, created multiple programming languages (Bon and B — which directly led to C), co-created the Plan 9 operating system, and on and on. The man certainly has earned a few computing awards.
But we’re not here today to talk about those contributions to computing.
No, sir. We’re here to talk… about his acceptance speech. Because it is absolutely amazing… and it revealed an absolutely fascinating computer virus that Thompson had created years earlier… for the C compiler.
He titled his speech “Reflections on Trusting Trust”, and the basic premise is this:
“To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.”
To prove his point, Ken told the tale of how he had — years earlier — created what was, essentially, a computer virus that infected the C compiler (cc) and the UNIX login program.
Seriously.
Ken could gain control of most UNIX systems
It worked, essentially, like this:
Ken modified cc (the C compiler on UNIX systems) so that — only when it was compiling UNIX’s “login” program — it would inject a small “backdoor” (into “login”) that would allow him to log in as any user on the system if he used a predefined “password”.
Which is, obviously, a pretty big security hole.
However…
This sort of code would be likely to be found during a code review of the C compiler. Or by any casual programmer who happened upon that section of the code.
Hiding his UNIX backdoor
What Ken did next was… devious.
He needed to make sure that, should anyone find his nefarious code in “cc”… that his backdoor would live on.
So he then added functionality to “cc” so that it would detect if it was compiling itself (because the C compiler was compiled… in the C compiler)… and insert code into the compiler that would add… itself.
Which means…
Even if the source code is removed from “cc” project… the code (for adding both the login backdoor and the “keep adding this to the C compiler” bits) would get “invisibly” injected into “cc” every time it got compiled.
So… as long as there was an unbroken chain of using the C compiler from that point onward, the UNIX login backdoor was unlikely to be effectively removed.
Brutal.
“The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.”
The Moral of the story
As Ken Thompson put it…
“The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.”
Did this make it out into the wild?
Now… it is known that this bit of naughty code was released to at least one machine (used by a UNIX support group). This has been confirmed by Ken, himself. However, it is believed that the code went no further.
Do we know for sure?
Do we have a high level of confidence that the modified “cc” and “login” went no further than that support group UNIX box?
No. No, we do not.
In fact, according to Eric S. Raymond…
“Your editor has heard two separate reports that suggest that the crocked login did make it out of Bell Labs, notably to BBN, and that it enabled at least one late-night login across the network by someone using the login name “kt”.”
Which leads to a (rather amusing) bit of historical trivia:
Ken Thompson — one of the co-creators of UNIX — intentionally created a trojan horse that infected both the C compiler and the “login” program of UNIX systems.
What’s more… it went undetected for years. And we truly have no clue how widespread that trojan became.
So, is it, um, still out there?