Back in 1984, the Association for Computing Machinery presented Ken Thompson with a “Turing Award” for his many contributions to the world of computing.
And for good reason.
Ken worked on Multics, co-created UNIX, created multiple programming languages (Bon and B — which directly led to C), co-created the Plan 9 operating system, UTF-8, and on and on. If anyone deserves an award for advancing computing... it's Ken Thompson.
But we’re not here today to talk about those extraordinary contributions to computing.
No, sir.
We’re here to talk… about his acceptance speech.
Because that speech revealed a truly fascinatin computer virus that Thompson had created years earlier… for the C compiler. One which gave him a backdoor into UNIX itself.
The Speech
He titled his speech “Reflections on Trusting Trust”, and the basic premise is this:
“To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.”
To prove his point, Ken told the tale of how he had — years earlier — created what was, essentially, a computer virus that infected the C compiler (cc) and the UNIX login program.
Seriously.
This is real.
Ken could gain control of most UNIX systems
It worked, essentially, like this:
Ken modified cc (the C compiler on UNIX systems) so that — only when it was compiling UNIX’s “login” program — it would inject a small “backdoor” (into “login”) that would allow him to log in as any user on the system if he used a predefined “password”.
Which is, obviously, a pretty big security hole.
However…
That sort of "universall password" code would be likely to be found during even a rudimentary code review of the C compiler. Or, heck, even by any casual programmer who happened upon that section of the code.
What Ken did next was… devious.
Hiding his UNIX backdoor
He needed to make sure that, should anyone find his nefarious code in “cc”… that his backdoor would live on.
So he then added functionality to “cc” so that it would detect if it was compiling itself (because the C compiler was compiled… in the C compiler)… and insert code into the compiler that would add… itself.
Which means…
Even if the source code is removed from “cc” project… the code (for adding both the login backdoor and the “keep adding this to the C compiler” bits) would get “invisibly” injected into “cc” every time it got compiled by an already infected build of the compiler.
So… as long as there was an unbroken chain of using the C compiler from that point onward, the UNIX login backdoor was unlikely to be effectively removed.
Brutal.
According to Thompson:
“The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.”
The Moral of the story
As Ken Thompson put it…
“The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.”
Did this make it out into the wild?
I know what you're thinking. "Is this code still out there? How many systems were impacted by this?"
What we know: This bit of naughty code was released to at least one machine (used by a UNIX support group). This has been confirmed by Ken, himself.
However, it is believed that the code went no further than that machine.
But... do we know for sure?
Do we actually have a high level of confidence that the modified “cc” and “login” went no further than that support group UNIX box?
No. No, we do not.
In fact, according to Eric S. Raymond…
“[I have] heard two separate reports that suggest that the crocked login did make it out of Bell Labs, notably to BBN, and that it enabled at least one late-night login across the network by someone using the login name “kt”.”
BBN. That's Raytheon. A critical DARPA researcher -- one which was instrumental in the early days of ARPANET. A huge amount of software came out of BBN. Heck, even the first Text Adventure game came from there.
If UNIX machines at Raytheon BBN were infected... the possibility of infected versions of those files making it to other sites is incredibly high.
Truly wild
Which leads to a (rather amusing, and mildly terrifying) bit of historical trivia:
Ken Thompson — one of the co-creators of UNIX — intentionally created a trojan horse that infected both the C compiler and the “login” program of UNIX systems.
What’s more… it went undetected for years. We wouldn't even have known about it, if he hadn't told us he created it.
And we truly have no clue how widespread that trojan became.
