Re: TBTF for 1999-10-05: Offlist

Eugene Leitl (
Thu, 7 Oct 1999 13:50:29 -0700 (PDT)

Dave Long writes:

> Except he was being very smart: the trojan was only in the source for
> one pass; by the second pass it was only in the binaries, where it
> wouldn't have been so obvious. (reread the string escape escapades)

I know the mechanism, it's not recent (and had actually been
successfully tried back when Unix was a toddler).

> I don't know enough about Forth metacompilation to speak with
> reasonable accuracy, but the same trick should be possible:
> Start with a forth. Modify a suitable defining word so that it
> recognizes its word and your target word, and tosses a (dotrojan)
> instead of (docol) into the CFA for those words. Your trojans will
> be visible in source. Metacompile to forth'. Trojans are now in
> source and in binary. Remove the evidence from the source, and
> metacopile again, to forth''. Now, as long as forth'' (or its
> descendants) are used to metacompile, your trojans should propagate,
> through the binaries.

You can do it: but there are a lot of Forths in C (see semantic gap,
the average C coder has no knowledge of Forth). And eForth is small
enough to be disassembled and read in a single afternoon. Once you
have a bona fide binary and read the source of any compiler prior to
installing it (once again, you can do it in C because the compilers
are of trivial complexity) you're safe.

It is much easier to find and exploit buffer overruns to compromise
online gadgetry.