Technique for Removing an Important Class of Trojan Horses from High- Order Languages.

摘要

In his 1984 Turing Award Lecture, Ken Thompson described a sophisticated Trojan horse attack on a compiler that is undetectable by any search of the compiler source code. The object of the compiler Trojan horse is to modify the semantics of the high-order language in a way that breaks the security of a trusted system generated by the compiler. The Trojan horse Thompson described is a form of virus (i.e., it is self-reproducing), but it has other characteristics that differentiate it from viruses that exploit the implementation details of a computer system. First, the self-reproduction is symbiotic -- the Trojan horse depends on the source text of the legitimate compiler for its continued existence. The virus only reproduces itself in the output stream of the compiler, when the compiler is compiling itself (thus destroying the original virus). A second difference is the relative portability of the virus to different systems. The Trojan horse Thompson described is less dependent on the design details of a particular machine because it exploits the portability of high-order languages. A final difference is the location of the virus in the executable file. The compiler Trojan horse is inserted in a place that is hard to search -- in mid-file. While this is possible for any form of virus, it is more difficult for viruses that do not have the compiler's functions at their disposal. In his lecture, Thompson asserted that 'no amount of source-level verification or scrutiny will protect you from using untrusted code.' However, this paper describes a technique that will remove such Trojan horses when used in conjunction with high-order language source code analysis. The remainder of the paper explains why this class of Trojan horse virus is important for trusted systems, describes the defense against it in detail, gives a brief sketch of some countermeasures, and concludes with some applications of the techniques described to building trusted systems.