Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lecture 24 Hiding Exploit in Compilers bootstrapping, self-generating code, tombstone diagrams Ras Bodik Mangpo and Ali Hack Your Language! CS164: Introduction.

Published byBrittany Brown Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Lecture 24 Hiding Exploit in Compilers bootstrapping, self-generating code, tombstone diagrams Ras Bodik Mangpo and Ali Hack Your Language! CS164: Introduction."— Presentation transcript:

1 1 Lecture 24 Hiding Exploit in Compilers bootstrapping, self-generating code, tombstone diagrams Ras Bodik Mangpo and Ali Hack Your Language! CS164: Introduction to Programming Languages and Compilers, Spring 2013 UC Berkeley

2 Outline Ken Thompson’s “Reflections on trusting trust” -You can teach a compiler to propagate an exploit -General lessons on bootstrapping a compiler Tombstone diagrams -a visual notation for explaining bootstrapping -a Datalog implementation Reading (optional): -Reflections on Trusting TrustReflections on Trusting Trust -A Formalism for Translator InteractionsA Formalism for Translator Interactions 2

3 Reflections on Trusting Trust a Berkeley graduate, maybe :-) a former cs164 student best known for his work on Unix we also know him for the RE-to-NFA algorithm Ken Thompson, Turing Award, 1983

4 The DNA a self-replicating program 4

5 A self-replicating program P It seems like P prints itself twice? Why? char s[] = { ‘ ’, ‘0’, ‘ ’, ‘}’, ‘;’, ‘\n’, ‘\n’, ‘/’, ‘*’, ‘ ’, ‘T’, …, 0 }; /* The string is a representation of the body of this program * from ‘0’ to the end. */ main() { int i; printf(“char s[] = {\n”); // 0: for (i=0; s[i]; i++) printf(“%d, ”, s[i]); // 1: print s once printf(“%s”, s); // 2: print s again } 5

6 What is printed by each print statement char s[] = { ‘ ’, ‘0’, ‘ ’, ‘}’, ‘;’, ‘\n’, ‘\n’, ‘/’, ‘*’, ‘ ’, ‘T’, …, 0 }; /* The string is a representation of the body of this program * from ‘0’ to the end. */ main() { int i; printf(“char s[] = {\n”); for (i=0; s[i]; i++) printf(“%d, ”, s[i]); printf(“%s”, s); } 6

7 Analysis and lesson 7

8 Intermezzo Tombstone diagrams 8

9 Four tombstone diagrams 9 L M M L1L1 L2L2 M compiler f L a program computing a function f, written in language L an interpreter for language L, written in language M a machine executing language M a compiler written in language M, translating program in language L 1 to programs in language L 2

10 The interpreter rules interpreter(L1, L3) :- interpreter(L1, L4), interpreter(L4, L3). interpreter(L1, L3) :- compiler(L4, L3, L5), interpreter(L1, L4), machine(L5). 10

11 The compiler rules compiler(L1, L2, L3) :- compiler(L1, L2, L4), interpreter(L4, L3). compiler(L1, L2, L3) :- compiler(L4, L3, L5), compiler(L1, L2, L4), machine(L5). 11 C M C C M M cc C M M cc.execc.c M L1L1 L2L2 L4L4 cc L4L4 L3L3

12 How is Java compiled and executed 12

13 Bootstrapping growing a language in a portable fashion 13

14 A portable C compiler A compiler for C can compile itself –because the compiler is written in C It is therefore portable to other platforms. –Just recompile it on the new platform. 14

15 An example of a portable feature How Compiler Translates Escaped Char Literals: … c = next(); if (c != ‘\\’) return c; c = next(); if (c == ‘\\’) return ‘\\’; if (c == ‘n’) return ‘\n’; … Note that this is portable code: –‘\n’ is 0x0a on an ASCII platform but 0x15 on EBDIC –the same compiler code will work correctly on both

16 the bootstrapping problem You want to extend the C language with the ‘\v’ literal –‘\v’ can be n on one machine on m on another –you want to use in the compiler code the portable expression ‘\v’ rather than hardcode n or m –you want the compiler to look like this c = next(); if (c != ‘\\’) return c; c = next(); if (c == ‘\\’) return ‘\\’; if (c == ‘n’) return ‘\n’; if (c == ‘v’) return ‘\v’; 16

17 solving the bootstrapping problem Your compiled (.exe) compiler does not accept \v, so you teach it: –write this code first, compile it, and make it your binary C compiler now your exe compiler accepts \v in input programs –then edit 11 to ‘\v’ in the compiler source code now your compiler source code is portable –how about other platforms? c = next(); if (c != ‘\\’) return c; c = next(); if (c == ‘\\’) return ‘\\’; if (c == ‘n’) return ‘\n’; if (c == ‘v’) return 11; 17

18 discussion By compiling ‘\v’ into 11 just once, we taught the compiler forever that ‘\v’ == 11 (on that platform). The term “taught” is not too much of a stretch –no matter how many times you now recompile the compiler, it will perpetuate the knowledge

19 This bootstrapping with tombstones 19 Naming: C: the C language without \v C v : C with support for \v Step 1: write a compiler for C v in C by extending the existing C compiler Step 2: compile step 1 compiler to now we have an executable compiler for C v Step 3: write a compiler for C v in C v really, just replace 11 with the portable ‘\v’ CvCv M C cc.c c = next(); if (c != ‘\\’) return c; c = next(); if (c == ‘\\’) return ‘\\’; if (c == ‘n’) return ‘\n’; if (c == ‘v’) return 11; CvCv M C C M M cc CvCv M M cc.execc.c M CvCv M CvCv c = next(); if (c != ‘\\’) return c; c = next(); if (c == ‘\\’) return ‘\\’; if (c == ‘n’) return ‘\n’; if (c == ‘v’) return ‘\v’;

20 We can use Datalog deduction to see this process machine(m). # we have a machine m compiler(c,m,m). # cc.exe: we have an m-executable compiler from C to machine m compiler(c,m,c). # cc.c: we also have the source code of this same compiler compiler(cv,m,c). # cc.v: we write the compiler for Cv in C compiler(L1, L2, L3) :- compiler(L1, L2, L4), interpreter(L4, L3). interpreter(L1, L3) :- interpreter(L1, L4), interpreter(L4, L3). compiler(L1, L2, L3) :- machine(L5), compiler(L4, L3, L5), compiler(L1, L2, L4). interpreter(L1, L3) :- machine(L5), compiler(L4, L3, L5), interpreter(L1, L4). You can now ask whether it is possible to obtain compiler from Cv to m that is executable: ?- compiler(cv, m, m). 20

21 The Black Belt creating a perpetual backdoor super-user access 21

22 Stage I: Hack login.c Login: utility that checks passwords and grants credentials. if(hash(pswd)==stored[user]) { grant access } Thompson created a backdoor into Unix: -make login.c grant access to any user (including the superuser) -condition: a magic password (Ken Thompson’s) is entered /* if ‘kt’ open sesame */ if(hash(pswd)==stored[user] || hash(pswd)==8132623192L) { grant access to ‘user’ } 22

23 Stage I: Hack login.c 23 add exploit: edit login.c to insert this code block: if ‘kt’ open sesame C login* C login C M M cc install as the system login utility M login*

24 Stage I limitations Someone will rather soon notice the exploit in login.c. After all, login.c is written in C (it is readable). Also, it’s a security-critical code, so it will be audited. ==> We need to hide the exploit somewhere else. 24

25 Stage II: Hack the C compiler (cc.c) Assume that compile() compiles a line of source code compile(char s[]) { … } login.c passes through this procedure when compiled. He who controls the compiler … 25

26 Stage III This is a routine that compiles one line of source code compile(char s[]) { if (match(s, “ ”)) { compile(“ ”); return; } } 26

27 Stage II: Hack cc.c 27 C C C hack C M C cc C M C C M C C M C clean up: remove exploit from cc.c to hide it from auditors.

28 Stage II: Hack cc.c 28 C M C cc* C M M cc C M M cc* C C M hack C M M cc install as system compiler C login C login* install as system login utility M login*

29 Stage II limitations Eventually the compiler will be recompiled. Using the clean cc.c will produce clean cc.exe. The exploit will be lost. 29

30 Stage III We want the exploit in the compiler to self reproduce. compile(char s[]) { if (match(s, “ ”)) { compile(“suitably edited function”); return; } if (match(s, “ ”)) { compile(“magic text”); return; }... } What is magic text? it reproduces the inserted hack

31 Stage III 31 C C C hack C M C cc C M C C M C C M C clean up: remove exploit

32 Stage III 32 C M C cc** C M C cc C M M cc** C M C cc C M C cc** C M M C C M hack C M M cc install as system compiler

33 Your excercise Figure out what magic text needs to be exactly. How resilient is Thompson’s technique to changes in the compiler source code? Will it work when someone entirely rewrites the cc.c or login.c? What are other ways how the exploit can be lost or discovered? 33

34 Summary 34

35 35 Summary PL knowledge useful beyond language design and implementation Helps programmers understand the behavior of their code Compiler techniques can help to address other problems like security (big research area) Safety and security are hard –Assumptions must be explicit

Download ppt "1 Lecture 24 Hiding Exploit in Compilers bootstrapping, self-generating code, tombstone diagrams Ras Bodik Mangpo and Ali Hack Your Language! CS164: Introduction."

Similar presentations

Spring Semester 2013 Lecture 5

Spring Semester 2013 Lecture 5
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. Copyright 1984, Association for Computing.

Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp Copyright 1984, Association for Computing.
1 Pass Compiler 1. 1.Introduction 1.1 Types of compilers 2.Stages of 1 Pass Compiler 2.1 Lexical analysis 2.2. syntactical analyzer 2.3. Code generation.

1 Pass Compiler 1. 1.Introduction 1.1 Types of compilers 2.Stages of 1 Pass Compiler 2.1 Lexical analysis 2.2. syntactical analyzer 2.3. Code generation.
Introduction to Computer Programming in C www.ccsa126.wikispaces.com.

Introduction to Computer Programming in C
Chapter3: Language Translation issues

Chapter3: Language Translation issues
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Chapter 1 Introduction to Object- Oriented Programming and Problem Solving.

Chapter 1 Introduction to Object- Oriented Programming and Problem Solving.
T-diagrams “Mommy, where do compilers come from?” Adapted from:

T-diagrams “Mommy, where do compilers come from?” Adapted from:
Computers: Tools for an Information Age

Computers: Tools for an Information Age
Programming Introduction November 9 Unit 7. What is Programming? Besides being a huge industry? Programming is the process used to write computer programs.

Programming Introduction November 9 Unit 7. What is Programming? Besides being a huge industry? Programming is the process used to write computer programs.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Models of Computation as Program Transformations Chris Chang

Models of Computation as Program Transformations Chris Chang
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
Chapter 2: Algorithm Discovery and Design

Chapter 2: Algorithm Discovery and Design
C programming Language and Data Structure For DIT Students.

C programming Language and Data Structure For DIT Students.
Introduction To C++ Programming 1.0 Basic C++ Program Structure 2.0 Program Control 3.0 Array And Structures 4.0 Function 5.0 Pointer 6.0 Secure Programming.

Introduction To C++ Programming 1.0 Basic C++ Program Structure 2.0 Program Control 3.0 Array And Structures 4.0 Function 5.0 Pointer 6.0 Secure Programming.
CHAPTER 1: INTORDUCTION TO C LANGUAGE

CHAPTER 1: INTORDUCTION TO C LANGUAGE
1 Chapter-01 Introduction to Computers and C++ Programming.

1 Chapter-01 Introduction to Computers and C++ Programming.

Similar presentations

Ads by Google