Skip to content

On That Delphi 7 Virus and Ken Thompson’s Turing Award Speech

In 1984, Ken Thompson, the operating system and programming language pioneer, received the ACM’s Turing Award. In his short, highly-readable Turing Award speech, he describes "the cutest program I ever wrote." He notes that because the C compiler is written in C, it is possible to alter the source code maliciously to produce a malicious compiler executable. The malicious code can then be removed from the C source, and the original code recompiled. The malicious code remains in the "new" executable, however, because it was prouced by the trojaned compiler.

If you can persuade someone to use your modified compiler, or if you can modify the compiler on their machine, then you can infect the executables they produce, even if they recompile the compiler itself from source code! If that seems unlikely or difficult, read the whole paper. It’s easier than you think. Thompson concludes:

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untested code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

Now it seems that somebody has actually gone and done this with old versions of Delphi. Frankly, I’m surprised it took so long. Perhaps this is just the first time we’ve noticed. But the problem described by Thompson is so insidious that in the quarter century since he gave his address (which really just gave additional prominence to an issue discovered decades before that) it’s almost remarkable that this technique is not more widespread. It’s also interesting that this specific case is relatively innocuous; the virus does nothing more than reproduce itself, and only affects a very old compiler. Is this a test shot? Someone whose curiosity got the better of them?

I don’t know. But the historical perspective is clear: This is not about Delphi, and it’s not about the malware of the week. It’s an old question of trust becoming new again.

Here is one proposal for countering these attacks. Interestingly, the technique can sometimes find unintended compiler bugs, as well. They can be hard to distinguish sometimes!

{ 2 } Comments

  1. Moritz Beutel | August 20, 2009 at 11:45 am | Permalink

    Thanks for the reference to Ken Thompson’s speech; I didn’t know it yet.

    Regarding your 2nd link, DDC isn’t really possible with Delphi since DCC’s binary output usually looks different every time. My guess is that the following patent might be the cause:
    http://www.freshpatents.com/Development-system-with-methodology-providing-information-hiding-in-executable-programs-dt20060622ptan20060136875.php

  2. GSA | August 25, 2009 at 8:14 am | Permalink

    GSA has developed a freeware tool that could remove the Win32/Induc.A virus completely from executables and let you start them again without your anti virus complaining about it.

{ 1 } Trackback

  1. [...] on this. For example, Marco Cantu summed up some links on the theme. Also Craig Stuntz has a nice post about [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

Bad Behavior has blocked 713 access attempts in the last 7 days.

Close