Joy of reproduction

[research!dmr]

Some years ago Ken Thompson broke the C preprocessor in the following
ways:
1) When compiling login.c, it inserted code that allowed you to
log in as anyone by supplying either the regular password or a special,
fixed password.

2) When compiling cpp.c, it inserted code that performed the special
test to recognize the appropriate part of login.c and insert the
password code. It also inserted code to recognize the appropriate
part of cpp.c and insert the code described in way 2).

Once the object cpp was installed, its bugs were thus self-reproducing,
while all the source code remained clean-looking. (Things were even set
up so the funny stuff would not be inserted if cc's -P option was used.)

We actually installed this on one of the other systems at the Labs.
It lasted for several months, until someone copied the cpp binary
from another system.

Notes:
1) The idea was not original; we saw it in a report on Multics
vulnerabilities. I don't know of anyone else who actually went to
the considerable labor of producing a working example.

2) I promise that no such thing has ever been included in any distributed
version of Unix. However, this took place about the time that NSA
was first acquiring the system, and there was considerable temptation.

Dennis Ritchie