Security DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement




Stealing the Network: A Prequel
Pages: 1, 2

One Month Later

"So, it's been a month. What do you think of our little projects so far?" queried Fullbeard.



"When do I get root access?"

"Ah! Around here, you're not given the root account, you have to earn it."

"Is that allowed? Can I steal the password?"

"Well, no doubt you've noticed by now that relatively little permission seeking takes place with the researchers. It's much easier to ask forgiveness than permission. It's even easier if you don't get caught and have to ask forgiveness. In any case, it's our system, we won't begrudge you access if you have a clever way to get it."

"So. I wait for someone to log in as root, and I watch over their shoulder?"

Fullbeard rolled his eyes. "Yes, that would work, but that's not interesting! How long would you have access?"

Crewcut replied "Until I got caught?"

"No! Don't worry about getting caught. No one cares if you get caught. Not here. How long could you keep logging in as root?"

"Until someone changed the password?"

"That's right! That only does you any good until the password has been changed, and then you have to steal it again. What else?"

"Um. when I'm root, leave myself a special setuid program?"

"Now you're thinking! Once you've got root, leave yourself a back door! How long does that work?"

"Until someone notices it?"

"Well, yes. Or, what do we do on a regular basis that would remove your special program?"

"We reinstall the system."

"Right. So then what? Who installs the system?"

"I do, sometimes."

"So what could you do with that?"

"I could make sure my backdoor program is there every time. I could make it part of the build process!"

Fullbeard beamed at Crewcut and tapped his temple with a finger. "How would you like to see a trick?"

Inside Fullbeard's office, he handed Crewcut a hunk of two-by-four board, and a small cardboard box that rattled. Looking extremely puzzled, Crewcut looked into the box, and saw a bunch of wooden pegs. Along one edge of the length of two-by-four was a long row of holes, seemingly the same diameter as the pegs. Above each hole was a number, scrawled in pen, 0 through 18. Setting down the box, he extracted one, and verified that the pegs did indeed fit securely in the holes. He stared at the peg protruding about two inches from the board.

"So, let's do a little octal math, shall we?" said Fullbeard, turning to his terminal. He ran the ps command. "Which process is your shell, back at your cube terminal?" Staring over his shoulder at the list, Crewcut replied, "52."

"OK, so here's a test. Look at the memory address for process 52. Put that in the board in binary -- a peg equals one, a hole zero."

Looking back and forth from the screen to the board, he inserted pegs one at a time. Going from octal to binary was relatively easy, actually. When he was done, he held the board out towards Fullbeard to see.

"Good. OK, so what controls the rights of that process?"

Thinking for a moment, Crewcut answered, "the user ID number that owns the process."

"Right. And what memory address relative to the start of the process holds the UID?"

Crewcut just looked and shrugged. Turning, Fullbeard changed directories, and typed cat proc.h | more. Crewcut started counting words in his head. After a good minute, he announced "24 words in."

"OK, you sure?"

Glancing at the screen again to repeat the process, 20 seconds later he announced, "Yes."

"OK, then add 24 to the address on your board."

Crewcut got to work on his board. He started to pull pegs, and then thought twice, and set it down as is. He then placed a few extra pegs on table below the lower numbers on the board. Once he seemed satisfied that he had it right, he adjusted the pegs to match the new address. Fullbeard watched intently the whole time. When Crewcut presented the new peg configuration, Fullbeard raised his eyebrows, paused, and said, "You sure?"

Crewcut glanced at the board, then nodded. Smiling, Fullbeard nodded back.

In the computer room, board in hand, Crewcut stood in front of the 11/70. "Hang on a sec," said Fullbeard. He walked to the teletype console, which looked like a cross between a printer and a typewriter, and logged in. Before walking away fully, he reached to the side and pressed "return" a few more times, just to double check. The chunkchunk of the console feeding paper told him audibly that his shell was still alive. He joined Crewcut at the front panel.

"OK, so what address is on the stick?" he asked, taking the two-by-four from Crewcut's hands, and hefting it.

"The address of the UID of my shell process."

"Right. What value would it have if the UID were root?"

"Zero."

"Correct. So here's what we do. This is the halt switch, right?" he pointed at the halt switch. "When you bootstrap it, you punch in the address and hit this switch, right?" He pointed to the LOAD ADDR switch. "Then you punch in the value." He pointed to the DEP switch.

Seeing the light dawn in Crewcut's eyes, Fullbeard handed back the board and took a step back, folding his arms as if to make his hands unavailable to help. Feeling the pinpricks of sweat forming in his skin, Crewcut experimentally lined the stick up with the row of 18 switches, visually checking where each peg would hit its respective switch. After several checks, like a golfer lining up his shot, he reach to the right and flicked the ENABLE/HALT switch to the HALT position. Carefully but quickly, he lined the stick up with the ADDRESS/DATA switches, and flipped all the switches with corresponding pegs simultaneously. He hit the LOAD ADDR switch. He then rotated the board and used a flat edge to put all the switches back to the 0 position, and hit the DEP switch. Swinging the board to rest against his leg vertically like a used sword, he hit the CONT switch, and stepped back. An elapsed eternity of about seven seconds.

Glancing over his shoulder, he looked at Fullbeard expectantly. Fullbeard reached back across the console keyboard, and hit the return key a couple of times. Chunkchunk. "So far, so good."

Back at his cube, he also pressed return a couple of times, Fullbeard watching over his shoulder. Two more blank lines, a good sign. Finally, he typed id. 0.

Fullbeard clapped him on the shoulder, and walked back to his office, wearing the board on his shoulder like a huge chip.

Three Months Later

"So how would I go about making sure my backdoor was always there?"

"How do you get it there now?"

"I've got it in the build process. It's pretty slick, actually. Instead of a separate file, I've got it compiled right into the kernel."

"So what's the problem?"

"Well, there's no practical problem. So far, no one has noticed it. But anyone who happens to look at the build files might notice it. Any of you guys noticed it?"

"No one has said anything. But we don't need to look at the build scripts often. We're mostly working on the kernel source. Someone will notice it eventually, though."

"But there's no way to keep someone from looking through the source or build scripts specifically for a backdoor. I can't do any better, right?"

"Can't you?" The smile on Fullbeard's face told Crewcut that Fullbeard knew a way.

"But how? Everything is built from source, every time. I mean, no one is going to read it very often, but eventually someone will."

"Really? Is everything built from source?"

"Yes, everything."

"Even the compiler?"

"Yes, we build the compiler from source for each version."

"Ah, but you're not using source code to compile source code, are you? You're using binaries."

Half a light went on above Crewcut's head.

"But ... what good ... I mean, yeah, I can put the backdoor in the compiler instead of the build scripts, but that would only work once. I'd have to backdoor the compiler source, too, to keep it going."

"Do you remember me telling you about how we made the compiler?"

"Yeah, you made the first one in NB, and then compiled it with itself, and so on."

"So, to add a new feature, we made the compiler spit out a modified version of itself. In essence, you can never see the source code for the version of the compiler you're actually compiling with. The compiler is changing things behind your back." The other half of the light went on.

"You mean, when the compiler is compiling the compiler, you make it backdoor the compiler? And the backdoor makes the compiler backdoor the compiler?" Crewcut's head was swimming in a sea of recursion.

"Yep. Oh, and you also backdoor the compiler so that when it's compiling the kernel, it compiles in your root backdoor, too. Your backdoor only exists in source once when you write it. Once you've unleashed that binary version, the chain begins, and no can spot the change in any source code they write."

After a few moments of staring in amazement, Crewcut piped up again. "Won't it be possible to look at the binary code, maybe in a debugger, and see the change?"

"Sure, it's possible. But have you ever tried debugging the compiler? You'd be hard pressed to see the change. I don't know what it's doing half the time, and I wrote part of it! Of course, there are deeper levels, too. Maybe you modified the processor to be able to spot when it's running the compiler. How far down the rabbit hole do you want to go?"

Two Months Later

Muttonchops said, "So what happened to your Navy kid? He go back already?"

Fullbeard replied, "Yeah, his 'internship' is over. He's gone back home."

"Was he really a spook? What was he like?"

"He works for spooks, at least. I don't know if I'd call him one, exactly. I think we can count on one more install site that we'll never know about, though." He winked.

"So, did he 'get it'? They were after computer security information, right?"

"I'm not sure. He was a sharp kid. I kinda had to lead him a bit though, you know? Spell things out?"

"Yeah, I know what you mean. You gotta make them learn for themselves, though. It won't sink in unless they do the heavy lifting."

"Well, you know me, I can't help but show off a few good tricks."

"You didn't just hand it to him, did you?"

"Well, I made him work for it. A little. We've supposed to be showing them what we know, right? The higher-ups have said it shall be so."

"You didn't show him the compiler trick, did you?"

"Ha, well, I didn't show it to him."

"You told him!"

"Yeah, I told him. I'm not too worried about it, though. He doesn't know I've already done it, and he's never going to be able to do it himself. I watched him struggle for a couple of weeks with the compiler code before giving up. He doesn't have the discipline to learn it himself. He would have to enlist the help of some much sharper computer scientists to get anywhere."

Ryan Russell


Return to the Security DevCenter




Sponsored by: