turing award reflections on trusting trust (自动保存的)

Reflections on Trusting Trust对深信不移的信任的反思Ken Thompson肯 .汤普森To what extent should one trust statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.一个人在何等程度上可以信任一个程序没有木马的声明呢？也许更为重要的是信任那个写程序的人。Introduction简介I thank the ACM for this award. I cant help but feel that I am receiving this honor for timing and serendipity as much as technical merit. UNIX swept into popularity with an industry-wide change from central main frames to autonomous minis. I suspect that Daniel Bobrow (1) would be here instead of me if he could not afford a PDP-10 and had had to “settle“ for a PDP-11. Moreover, the current state of UNIX is the result of the labors of a large number of people. 我很感谢美国计算机协会颁给我这样一个奖项，我难以自禁，总认为我得奖的比重中，技术原因和时间上的安排与偶然一样多。UNIX 已从一个主要中枢框架改变为流行于全部行业的自动微型机。我怀疑，若是 Daniel Bobrow 不是因为买不起一台 PDP-10 而不得不去为一台 PDP-11 移居别处的话，他便会取代我了。不管怎样，UNIX 的现状是由于很大一部分人的努力工作的结果。There is an old adage, “Dance with the one that brought you,“ which means that I should talk about UNIX. I have not worked on mainstream UNIX in many years, yet I continue to get undeserved credit for the work of others. Therefore, I am not going to talk about UNIX, but I want to thank everyone who has contributed. 在这有一句格言，和带你进来的人跳舞，意思是我此刻应该谈论和 UNIX 有关的事。但我已不再主流 UNIX 上工作好多年了，并且我还持续从他人身上得到不该得到的荣誉。因而，我不会准备谈论 UNIX，但我想谢谢所有为 UNIX 做过贡献的人That brings me to Dennis Ritchie. Our collaboration has been a thing of beauty. In the ten years that we have worked together, I can recall only one case of miscoordination of work. On that occasion, I discovered that we both had written the same 20-line assembly language program. I compared the sources and was astounded to find that they matched character-for-character. The result of our work together has been far greater than the work that we each contributed. 这让我想起丹尼斯里奇。我们的合作一直是件很美妙的事情。在过去的我们一起合作的十年中,我可以很清楚地回忆起一件关于 miscoordination 的工作。那次，我发现我们都写了同样的 20 行汇编程序语言。我比较了他们，吃惊地发现,他们甚至字符对字符匹配。 我们一起工作的结果已经远超过我们单独做出的贡献。I am a programmer. On my 1040 form, that is what I put down as my occupation. As a programmer, I write programs. I would like to present to you the cutest program I ever wrote. I will do this in three stages and try to bring it together at the end. 我是一个程序员。在我的 1040 形式 form 中,那就是作为我的职业所记下的。作为一个程序员来说,我写程序。我想展现给你我写过的最可爱的程序。我想用三个阶段完成它并试图一起结束它们。Stage I第一阶段In college, before video games, we would amuse ourselves by posing programming exercises. One of the favorites was to write the shortest self-reproducing program. Since this is an exercise divorced from reality, the usual vehicle was FORTRAN. Actually, FORTRAN was the language of choice for the same reason that three-legged races are popular. 在大学中，在电视游戏出现之前，我们会进行程序练习来找乐子，其中之一就是写出最短的自我复制程序。因其为一项脱离实际的练习，所以我们经常选择的工具是 FORTRAN。实际上，三条腿竞赛也流行用 FORTRAN 编写也是基于同样原因。More precisely stated, the problem is to write a source program that, when compiled and executed, will produce as output an exact copy of its source. If you have never done this, I urge you to try it on your own. The discovery of how to do it is a revelation that far surpasses any benefit obtained by being told how to do it. The part about “shortest“ was just an incentive to demonstrate skill and determine a winner. 更确切地说,问题是要写一份当编译与执行后会产生输出一个对其源头精确拷贝的源程序。如果你从来没这样做过,我劝你自己亲自试一下。自己探索如何去做这件事可以获得远超别人告诉你如何去做的收益。关于“最短”的那部分只是展示技巧和确定胜利者的一种动机。FIGURE 1 图 1Figure I shows a self-reproducing program in the C programming language. (The purist will note that the program is not precisely a self-reproducing program, but will produce a self-reproducing program.) This entry is much too large to win a prize, but it demonstrates the technique and has two important properties that I need to complete my story: (1) this program can be easily written by another program. (2) This program can contain an arbitrary amount of excess baggage that will be reproduced along with the main algorithm. In the example, even the comment is reproduced. 图 1 我用 C 语言展示了一个自我复制的程序。 (可能苛刻的朋友会注意到这个程序不是一个精确的自我复制程序,但是它依然会将会产生自我复制。) 这个条目实在太大因此难能得奖,但是它展示了这项技术，并且包含我需要用来完成我的故事的两个重要的性能:(1)此程序可很容易的被另一个程序重新编辑。(2)这个程序可以包含随主程序一起复制的任意数量的超重的包。在例子中,甚至连注释也被复制。Stage II第二阶段The C compiler is written in C. What I am about to describe is one of many “chicken and egg“ problems that arise when compilers are written in their own language. In this ease, I will use a specific example from the C compiler. C 的编译器是用 C 语言写的，我即将描述的是随着编译器被自身语言所写而产生的许多因果难定的问题之一。在这轻松的时刻，我会使用 C 编译器的一个特殊例子。C allows a string construct to specify an initialized character array. The individual characters in the string can be escaped to represent unprintable characters. For example, “Hello worldn“ represents a string with the character “n,“ representing the new line character. C 允许一个字符串结构列举一个初始化的字符串组，字符串的单个字符可以escaped 来表示一个未输出地字符。例如，“Hello worldn“ 表示一个带有“n”字符的字符串，用来表示新一行的字符。FIGURE 2 图 2Figure 2 is an idealization of the code in the C compiler that interprets the character escape sequence. This is an amazing piece of code. It “knows“ in a completely portable way what character code is compiled for a new line in any character set. The act of knowing then allows it to recompile itself, thus perpetuating the knowledge.图 2 是 C 编译器中的编译字符转义序列的理想代码，这是一份令人惊讶的代码。它以一种完全的轻便的方式知道在任何字符集中，什么代码应该被编译为下一行 。这种明晰的行为使使他可以重编自身，因此可以永远保持其特点。FIGURE 3图三 Suppose we wish to alter the C compiler to include the sequence “v“ to represent the vertical tab character. The extension to Figure 2 is obvious and is presented in Figure 3. We then recompile the C compiler, but we get a diagnostic. Obviously, since the binary version of the compiler does not know about “v,“ the source is not legal C. We must “train“ the compiler. After it “knows“ what “v“ means, then our new change will become legal C. We look up on an ASCII chart that a vertical tab is decimal 11. We alter our source to look like Figure 4. Now the old compiler accepts the new source. We install the resulting binary as the new official C compiler and now we can write the portable version the way we had it in Figure 3. 假设我们想改变C编译器使之包含序列“ v”代表垂直制表符。图2的推广很明显，并且在图3中表现出来。 然后我们重编译C编译器,但是我们得到一个诊断。很明显,因为二进制版本的编译器都不识别“ v”，所以该代码是不合法的C,我们必须先“训练”编译器。在它“知道” “ v”代表什么意思后,然后我们的改变将成为合法的C。查寻一下ASCII码,我们知道垂直制表符是十进制数11。我们改变我们的代码使之看起来像图4 现在老编译器接受新代码。我们安装了产生二进制的正式的C编译器,现在我们可以想在图三那样写出更简单的版本了。FIGURE 4图 4 This is a deep concept. It is as close to a “learning“ program as I have seen. You simply tell it once, then you can use this self-referencing definition. 这是一个很深的概念。它已近似于我看到的“学习”程序了。你只是简单的告诉他一次，然后你就可以使用这种自我参考的定义。Stage III第三阶段FIGURE 5图 5 Again, in the C compiler, Figure 5 represents the high-level control of the C compiler where the routine “compile“ is called to compile the next line of source. Figure 6 shows a simple modification to the compiler that will deliberately miscompile source whenever a particular pattern is matched. If this were not deliberate, it would be called a compiler “bug.“ Since it is deliberate, it should be called a “Trojan horse.“ 再一次，在 C 编译器中，图 5 代表一个对于 C 编译器的高级控制，即在程序中编译器调用编译器来完成下一行代码。图 6 展示一个简单的对编译器的简单修正，它会故意编错代码，无论配以何种特定模式。如果它不是故意的，这会被叫做编译错误，但既然它是故意的，它应被叫做木马。FIGURE 6 图 6The actual bug I planted in the compiler would match code in the UNIX “login“ command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user. 我所打出的实际错误会适用于与 UNIX 中的“登陆”命令代码。替换的代码会误编登录命令以至于它会接受故意加密的编码或是已知的特定密码。因此如果这份代码被改为二进制并被使用于编译登录命令，我就可以向其他用户一样登陆那个系统。Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions. 如此明显的代码不会掩藏很久，即使最随意熟练的 C 编译器也会有所怀疑。FIGURE 7图 7 The final step is represented in Figure 7. This simply adds a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere. 图 7 展示最后一步。它给已知的程序简单的加了另一个木马第二个部分目标在于 C 编译器，其替代编码是阶段一的自我复制程序植入木马后再在编译器运行。这像阶段二一样需要一种学习机制。首先我们用标准 C 编译器编译改进代码来产生错误的二进制。我们使用这个二进制作为正式 C。现在我们可以从编译器代码中移除错误了，并且新二进制会重新植入错误无论何时它被编译。当然，登陆命令还会毫无踪迹的在代码中保留错误。Moral道德The moral is obvious. You cant trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. 道德是显而易见的。你不能信任不是有你完全编写的代码。（尤其是像我一样的公司雇员的代码。）目前没有代码等级审查验证来保护你免于使用未信任的代码。为证明这种可能的攻击方式，我打开了 C 编译器。我可以选中任何程序处理程序诸如编译器，运行器，甚至是硬件代码。随着程序水平的降低，这类错误会越来越难以发现。一个安装良好的微代码错误会很难被发觉。After trying to convince you that I cannot be trusted, I wish to moralize. I would like to criticize the press in its handling of the “hackers,“ the 414 gang, the Dalton gang, etc. The acts performed by these kids are vandalism at best and probably trespass and theft at worst. It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution. The companies that are vulnerable to this activity (and most large companies are very vulnerable) are pressing hard to update the criminal code. Unauthorized access to computer systems is already a serious crime in a few states and is currently being addressed in many more state legislatures as well as Congress. 在试图让你确信我不应被信任后，我希望从中引出道德教训。我想批评一下新闻界对黑客的对待，如 414 帮，Dalton 帮和其他一些人。这些孩子的行为往好里说是破坏公物，往坏里说是可能非法入侵与盗窃。只不过因为刑法典的不适当才是他们免于遭到严重后果的起诉。遭到此活动的攻击各家公司（并且大的公司极易受攻击）正施加压力来促使刑法升级。对电脑系统的越权存取已成为一个严重的犯罪在某些州，并且被越来越多的州议会于立法机关所采用。There is an explosive situation brewing. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison. 有一个爆炸性的情况再所难免。一方面,通过新闻、电视和电影称呼他们青年俊杰，视他们为英雄，另一方面，这些孩子的所作所为会使他们很快就会被判罪,多年监禁。I have watched kids testifying before Congress. It is clear that they are completely unaware of t