Changing Religeon

Steve Jenkin sjenkin at pcug.org.au
Wed Mar 6 12:47:03 EST 2002


The 'self replicating trojan' is no myth.
Ken Thompson added code to a C compiler that recognised 'login' and
added assembler code so he could always log in [as root?]
He then added code that did the same for the compiler & hid the 'login'
hack.
And then removed the hacks from the compiler source - so the insertions
replicate in the executable 'cc', but cant be found by code inspection.
[Nor could you devise a test for the backdoor in the login program]

http://www.acm.org/classics/sep95/

His paper (1983) is called 'Reflections on Trusting Trust'.
His conclusion: If you didn't create the whole thing, you can't really
trust it.

cheers
sj

Sam Couter <scouter at bigpond.net.au> wrote:

> Date: Mon, 4 Mar 2002 21:38:28 +1100
> From: 
> To: linux <linux at lists.samba.org>
> Subject: Re: Changing Religeon
> 
<<snip>>
> 
> It doesn't really matter though, I'm not really a fan of Pascal, so I'm
> not likely to use the compiler. I only asked out of interest, and
> because I recommend caution when downloading binaries. The old urban
> myth about Dennis Ritchie's (??) self-replicating trojan in the compiler
> comes to mind. Check the Jargon File for "back door":=20
> 
> http://www.tuxedo.org/~esr/jargon/html/entry/back-door.html
> 
> Be careful... One entry leads to another, and before you know it you've
> wasted a whole afternoon reading parts of the Jargon file and wetting
> yourself laughing.
> --=20
> Sam "Eddie" Couter  |  mailto:scouter at bigpond.net.au
> Debian Developer    |  mailto:eddie at debian.org
>                     |  jabber:sam at jabber.topic.com.au
> OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

-- 
--------
Steve Jenkin, Unix Sys Admin
PO Box 48, Kippax, ACT 2615
0412 786 915




More information about the linux mailing list