Re: Don't discredit OVC with falsehoods!

From: Karl Auerbach <karl_at_cavebear_dot_com>
Date: Fri May 07 2004 - 12:05:11 CDT

On Fri, 7 May 2004, David Mertz wrote:

> What Ken Thompson presented in his ACM Turing Lecture was a theoretical
> attack in which a compiler contained a trojan, thus affecting the
> programs it compiled. Thompson -did- create a proof-of-concept
> internally. But this trojan was never released "into the wild."

Back in the days of Unix release (not version) 6 - this was the mid 1970's
- there was a oft-repeated rumor that Ken Thompson could log into any Unix
system via a backdoor. (Not that any of us would have refused the
opportunity to have either "ken" or "dmr" actually log into our systems -
in fact every Unix system of that era had "ken" and "dmr" directories.)

Before and after the Turing lecture many folks (myself included) actually
asked him whether he had inserted a trojan - and he would never give a
straight up/down answer. I think he kinda liked the aura of mystery.

[I designed and wrote the first formally certified secure Unix kernel back
in the late 1970s and we simply defined attacks based on compiler and
hardware buggering as out of our scope.]

Open source would not have protected against the Thompson kind of attack -
it wasn't until there were compilers with a distinct genetic heritage
(such as the VAX/VMS C compiler that we used at Interactive Systems in
1980) that it was possible to say with confidence that such an attack had
been countered.

                --karl--

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon May 31 23:17:22 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT