Holes in the Armor 251A trusted path is a fundamental requirement for computer security, yet it is
theoretically impossible to obtain in most versions of Unix: /etc/getty,
which asks for your username, and /bin/login, which asks for your pass-
word, are no different from any other program. They are just programs.
They happen to be programs that ask you for highly confidential and sensi-
tive information to verify that you are who you claim to be, but you have no
way of verifying them.
Compromised Systems Usually Stay That Way
Unix Security sat on a wall.
Unix Security had a great fall.
All the king’s horses,
And all the king’s men,
Couldn’t get Security back together againRe-securing a compromised Unix system is very difficult. Intruders usually
leave startup traps, trap doors, and trojan horses in their wake. After a secu-
rity incident, it’s often easier to reinstall the operating system from scratch,
rather than pick up the pieces.
For example, a computer at MIT in recent memory was compromised. The
attacker was eventually discovered, and his initial access hole was closed.
But the system administrator (a Unix wizard) didn’t realize that the
attacker had modified the computer’s /usr/ucb/telnet program. For the
next six months, whenever a user on that computer used telnet to connect
to another computer at MIT, or anywhere else on the Internet, the Telnet
program captured, in a local file, the victim’s username and password on
the remote computer. The attack was only discovered because the
computer’s hard disk ran out of space after bloating with usernames and
passwords.
Attackers trivially hide their tracks. Once an attacker breaks into a Unix,
she edits the log files to erase any traces of her incursion. Many system
operators examine the modification dates of files to detect unauthorized
modifications, but an attacker who has gained superuser capabilities can
reprogram the system clock—they can even use the Unix functions specifi-
cally provided for changing file times.
The Unix file system is a mass of protections and permission bits. If a sin-
gle file, directory, or device has incorrectly set permission bits, it puts the
security of the entire system at risk. This is a double whammy that makes it
relatively easy for an experienced cracker to break into most Unix systems,