[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU Phishing

From: Ian Grant
Subject: GNU Phishing
Date: Mon, 25 Aug 2014 19:20:56 -0400

The following is probably the USAF report on Multics security that Thompson mentions in his "Reflections in Trusting Trust" talk.

This has been known for forty years now. What do you reckon is the probability that it has been tried? What system/compiler would be the most likely target for such an attack?

There is a solution, but we need to work _together_ on it. This one can't be won by any party.


   Paul A. Karger, 2Lt, USAF
   Roger R. Schell, Major, USAF

   June 1974

   Approved for public release;
   distribution unlimited.

Pg 51.

[ ... ]

Two classes of trap doors, which are themselves source or object trap
doors are particularly insiduous and merit discussion here.  These are
the teletype string trigger trap door and the compiler trap door.

[... one paragraph describing the teletype trigger trap door omitted ...]

Pg. 52

It was noted above that while object code trap doors are invisible,
they are vulnerable to recompilations. The compiler (or assembler)
trap door is inserted to permit object code trap doors to survive even
a complete recompilation of the entire system. In Multics, most of the
ring 0 supervisor is written in PL/1. A penetrator could insert a trap
door in the PL/1 compiler to note when it is compiling a ring 0
module. Then the compiler would insert an object code trap door in the
ring 0 module without listing the code in the listing. Since the PL/1
compiler is itself written in PL/1, the trap door can maintain itself,
\underline{even when the compiler is recompiled.} (38) Compiler trap
doors are significantly more complex than the other trap doors
described here, because they require a detailed knowledge of the
compiler design. However, they are quite practical to implement at a
cost of perhaps five times the level shown in section 3.5 [<$4,000,
See Pg. 57]. It should be noted that even costs several hundred times
larger than those shown here would be considered nominal to a foreign

There is also a variant on the compiler trap door called the
initialization trap door. Here, the system initialization code is
modified by the penetrator to insert other trap doors as the system is
brought up. Such trap doors can be relatively invulnerable to [page
break] detection and recompilation, because system initialization is
usually a very complex and poorly understood procedure.


(38) This type of trap door does not require a higher level
language. Entirely analogous trap doors could be placed in an


Downloaded from:

Accessed 25 August 2014.

PDF 558901 bytes, SHA1 c/s: a77bb61b2a65a337506a72ec98fe8d546f830994

reply via email to

[Prev in Thread] Current Thread [Next in Thread]