Ken Thompson Really Did Launch His "Trusting Trust" Trojan Attack in Real Life

September 27, 2022

Introduction

Unix pioneer Ken Thompson’s 1983 Turing Award acceptance speech popularized the now well-known concept of a Reflections on Trusting Trust-style backdoor, or in my words, a meta-backdoor. He argued that even a complete code audit cannot always ensure that a program is backdoor-free, since the development tools in the system can themselves be backdoored, and thus, implanting backdoors to the object code of a backdoor-free program.

Whether Ken Thompson actually performed this attack in real life is a common subject of controversy in computer folklore. If one reads the original paper, one only finds a description of this attack as a thought experiment, leading one to conclude that any claim of a real-world attack by Thompson was an urban myth due to exaggeration.

However, in 1995, Usenet poster Jay Ashworth, citing personal communications with Ken Thompson, provided strong evidence of the existence of a real-world experiment of this attack. Unfortunately, the full Usenet message is missing on the web. There are only quoted snippets of this Usenet post circulated around various blogs, reducing its authenticity.

In 2021, I’ve rediscovered the full Usenet message after a search effort in multiple Usenet archives. My success was partial - it was still a repost by someone else, and I was unable to find the original message. However, this repost contains the full Usenet message, including complete headers and message body, with the poster name and its Message-ID, establishing the authenticity of the post beyond reasonable doubts.

Historians with a higher standard of proof may contact the poster in person, and the confirmation would be trivial. The poster of this message was Jay R. Ashworth, apparently well-involved in tech and was the author of RFC 2100.

In conclusion, Ken Thompson’s “Trusting Trust” compiler Trojan attack is not just a thought experiment. In fact, it was actually what he really did in real life. In a 1995 mail, he said he was able to successfully compromise the Unix Support Group at Bell Labs (precursor to Unix System Laboratories).

Usenet post

For history preservation, hereby, I’ve attached the full Usenet message.

From: jra@news.IntNet.net (Jay Ashworth)
Newsgroups: alt.sys.pdp10,alt.folklore.computers,comp.lang.lisp,alt.os.multics
Subject: The Thompson Login Trojan: The REAL Story
Date: 30 Apr 1995 01:11:47 -0400
Message-ID: <3nv66j$bi5@xcalibur.IntNet.net>
Keywords: horse, mouth
Content-Length: 2988
Lines: 84

fhoward@us.oracle.com (Forrest Howard) writes:
>In article <3n0hac$j2s@crcnis3.unl.edu>, jhesse@herbie.unl.edu (jhesse) wrote:
>> Peter da Silva (peter@bonkers.taronga.com) wrote:
>> : In article <WGD.95Apr17215015@martigny.ai.mit.edu>,
>> : Bill Dubuque <wgd@zurich.ai.mit.edu> wrote:
>> : >"The actual bug I planted in the compiler would match code in 
>> : >the UNIX "login" command..."
>> : I always heard he implemented it but didn't distribute it.
>> What did "it" do?

>Actually I think it was distributed.  Ken talked about it at the 2nd? unix
>users group meeting at columbia.  In my faded recollection I believe he
>said there was code in cpp that
>  
>a) inserted code when compiling login.c (or was it init.c or gtty.c?) that 
>     added code to recognize a particular username/password independent of 
>     /etc/passwd.
>b) reinserted the trojen horse when recompiling cpp.c

Proving that the real Mrs. Robinson stood up.

It occured to me last week that ken@research.att.com is _still_ a valid
address, 25 years later... so I asked.  Here, from Ken himself, is the
Real Story<tm>:

) From ken@plan9.att.com Sun Apr 23 14:42 EDT 1995
) Received: from plan9.att.com by  IntNet.net (5.x/SMI-SVR4)
) 	id AA19375; Sun, 23 Apr 1995 14:42:51 -0400
) Message-Id: <9504231842.AA19375@ IntNet.net>
) From: ken@plan9.att.com
) To: jra@IntNet.net
) Date: Sun, 23 Apr 1995 14:39:39 EDT
) Content-Type: text
) Content-Length: 928
) Status: RO
) 
) thanks for the info. i had not seen
) that newsgroup. after you pointed it
) out, i looked up the discussion.
) 
) writing to news just causes more
) misunderstandings in the future. there
) is no way to win.

[ note: I asked him if he minded my posting the reply, he had no objection ]

) fyi: the self reproducing cpp was
) installed on OUR machine and we
) enticed the "unix support group"
) (precursor to usl) to pick it up
) from us by advertising some
) non-backward compatible feature.
) that meant they had to get the
) binary and source since the source
) would not compile on their binaries.
) 
) they installed it and in a month or
) so, the login command got the trojan
) hourse. later someone there noticed
) something funny in the symbol table
) of cpp and were digging into the
) object to find out what it was. at
) some point, they compiled -S and
) assembled the output. that broke
) the self-reproducer since it was
) disabled on -S. some months later
) the login trojan hourse also went
) away.
) 
) the compiler was never released
) outside.
) 
) ken

Everyone: please save this post, so the next time the question comes up,
you can just go look.  :-)

Cheers,
-- jr 'will bug legends for food' a
-- 
Jay R. Ashworth       High Technology Systems Consulting              Ashworth
Designer             Linux: The Choice of a GNU Generation        & Associates
ka1fjx/4    "I minored in babbling in college... and got       +1 813 790 7592
jra@baylink.com     honors in it." --Brian Heath                     NIC: jra3