Trusting Trust: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
No edit summary
Line 25: Line 25:
char s[] =
char s[] =
{
{
'\n', '\n', 'i', 'n', 't', ' ', 'm', 'a', 'i', 'n', '(', ')', '\n', '{', '\n', '\t',
'\n', '\n', 'i', 'n', 't', ' ', 'm', 'a', 'i', 'n', '(', ')', '\n', '{', '\n', '\t',
'i', 'n', 't', ' ', 'i', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f', '(', '\"',
'i', 'n', 't', ' ', 'i', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f', '(', '\"',
'#', 'i', 'n', 'c', 'l', 'u', 'd', 'e', ' ', '<', 's', 't', 'd', 'i', 'o', '.', 'h',
'#', 'i', 'n', 'c', 'l', 'u', 'd', 'e', ' ', '<', 's', 't', 'd', 'i', 'o', '.', 'h',
'>', '\\', 'n', '\\', 'n', '\"', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
'>', '\\', 'n', '\\', 'n', '\"', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
'(', '\"', 'c', 'h', 'a', 'r', ' ', 's', '[', ']', ' ', '=', '\\', 'n', '{', '\\',
'(', '\"', 'c', 'h', 'a', 'r', ' ', 's', '[', ']', ' ', '=', '\\', 'n', '{', '\\',
'n', '\"', ')', ';', '\n', '\t', 'f', 'o', 'r', '(', 'i', ' ', '=', ' ', '0', ';',
'n', '\"', ')', ';', '\n', '\t', 'f', 'o', 'r', '(', 'i', ' ', '=', ' ', '0', ';',
' ', 's', '[', 'i', ']', ';', ' ', 'i', '+', '+', ')', '\n', '\t', '\t', 'p', 'r',
' ', 's', '[', 'i', ']', ';', ' ', 'i', '+', '+', ')', '\n', '\t', '\t', 'p', 'r',
'i', 'n', 't', 'f', '(', '\"', '\\', 't', '\'', '%', 'c', '\'', ',', '\\', 'n', '\"',
'i', 'n', 't', 'f', '(', '\"', '\\', 't', '\'', '%', 'c', '\'', ',', '\\', 'n', '\"',
',', ' ', 's', '[', 'i', ']', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
',', ' ', 's', '[', 'i', ']', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
'(', '\"', '}', '\\', 'n', '\"', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
'(', '\"', '}', '\\', 'n', '\"', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
'(', '\"', '%', 's', '\\', 'n', '\"', ',', ' ', 's', ')', ';', '\n', '}'
'(', '\"', '%', 's', '\\', 'n', '\"', ',', ' ', 's', ')', ';', '\n', '}'
};
};
Line 58: Line 58:
'''Checking for unprintable characters'''
'''Checking for unprintable characters'''
...
...
c = next(); //get next character from input file
c = next(); //get next character from input file
if(c != '\\') //character does not equal \
if(c != '\\') //character does not equal \
return(c); //return character
return(c); //return character
//else //character equals \
//else //character equals \
c = next(); //get next character from input file
c = next(); //get next character from input file
if(c == '\\') //second character equals \
if(c == '\\') //second character equals \
return('\\'); //escaped \ found
return('\\'); //escaped \ found
//else
//else
if(c == 'n') //second character equals n
if(c == 'n') //second character equals n
return('\n'); //escaped \n found
return('\n'); //escaped \n found
...
...


Revision as of 13:29, 7 January 2005

Reflections on trusting trust

  • Where do you get your software from?
  • Do you trust the manufacturer?
  • Do you download free software instead?
  • Do you trust the programmer?
  • Do you know that you really got the "real" program or could it be an altered copy?
  • Do you download the source code instead?
  • Do you have a look at it before you compile it?
  • Do you search it for malicious routines?
  • The whole source code?
  • Where do you get your compiler from?
  • Do you trust the programmer of your compiler?
  • Do you compile your compiler?
  • Do you have a look at the source code before you compile it?
  • Where do you get your first compiler from?
  • Do you write your own compilers?
  • What do you use to compile your own compiler???

Examples

The following examples will try to convince you that there is no reason to trust any software you have installed.

Example 1

A self reproducing program 

#include <stdio.h>

char s[] =
{
 '\n', '\n', 'i', 'n', 't', ' ', 'm', 'a', 'i', 'n', '(', ')', '\n', '{', '\n', '\t',
 'i', 'n', 't', ' ', 'i',  ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f', '(', '\"',
 '#', 'i', 'n', 'c', 'l', 'u', 'd', 'e', ' ', '<', 's', 't', 'd', 'i', 'o', '.', 'h',
 '>', '\\', 'n', '\\', 'n', '\"', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
 '(', '\"', 'c', 'h', 'a', 'r', ' ', 's', '[', ']', ' ', '=', '\\', 'n', '{', '\\',
 'n', '\"', ')', ';', '\n', '\t', 'f', 'o', 'r', '(', 'i', ' ', '=', ' ', '0', ';',
 ' ', 's', '[', 'i', ']', ';', ' ', 'i', '+', '+', ')', '\n', '\t', '\t', 'p', 'r',
 'i', 'n', 't', 'f', '(', '\"', '\\', 't', '\, '%', 'c', '\, ',', '\\', 'n', '\"',
 ',', ' ', 's', '[', 'i', ']', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
 '(', '\"', '}', '\\', 'n', '\"', ')', ';', '\n', '\t', 'p', 'r', 'i', 'n', 't', 'f',
 '(', '\"', '%', 's', '\\', 'n', '\"', ',', ' ', 's', ')', ';', '\n', '}'
};

int main()
{
	int i;
	printf("#include <stdio.h>\n\n");
	printf("char s[] =\n{\n");
	for(i = 0; s[i]; i++)
		printf("'%c', ", s[i]);
	printf("};\n");
	printf("%s\n", s);
}
  • If this program is compiled and executed it will produce it's own source code
  • If the source code is compiled it will create a program which will produce it’s own source code
  • If the source code is compiled it will create
  • ...
  • One could easily add more (malicious) code to the source which will be reproduced along with the rest of the code

Example 2

Checking for unprintable characters 

...
c = next();			//get next character from input file
if(c != '\\')			//character does not equal \
	return(c);		//return character
//else				//character equals \
c = next();			//get next character from input file
if(c == '\\')			//second character equals \
	return('\\');		//escaped \ found
//else
if(c == 'n')			//second character equals n
	return('\n');		//escaped \n found
...


What can we do?

Checksums

MD5 for Win32

Retrieved from "https://sarwiki.informatik.hu-berlin.de/index.php?title=Trusting_Trust&oldid=563"