\slidecaption{AFL 09, King's College London, 27.~November 2013}
  Automata and Formal Languages (9)
  \LARGE Automata and \\[-2mm] 
  \LARGE Formal Languages (9)\\[3mm] 

  Email: christian.urban at
  Office: S1.27 (1st floor Strand Building)
  Slides: KEATS (also home work is there)



Using a compiler, how can you mount the perfect attack against a system?



What is a perfect attack?

\item you can potentially completely take over a target system
\item your attack is (nearly) undetectable
\item the victim has (almost) no chance to recover



  Hacking Compilers 
  Ken Thompson
Turing Award, 1983
  \footnotesize Ken Thompson\\[-1.8mm]
  \footnotesize Turing Award, 1983\\
  \begin{tabular}{l@ {\hspace{1mm}}p{8cm}}
  & Ken Thompson showed how to hide a Trojan Horse in a 
  compiler \textcolor{red}{without} leaving any traces in the source code.\\[2mm]
  & No amount of source level verification will protect 
  you from such Thompson-hacks.\\[2mm]

  & Therefore in safety-critical systems it is important to rely 
  on only a very small TCB.

  \item[1)] Assume you ship the compiler as binary and also with sources.
  \item[2)] Make the compiler aware when it compiles itself.
  \item[3)] Add the Trojan horse.
  \item[4)] Compile.
  \item[5)] Delete Trojan horse from the sources of the compiler.
  \item[6)] Go on holiday for the rest of your life. ;o)\\[-7mm]\mbox{}


Our Compiler


lexer input: string\medskip\\
lexer output: sequence of tokens\\ 
\mbox{}\hfill(white space and comments filtered out)\medskip\\
parser output: abstract syntax tree\medskip\\ 
code gen output: assembler byte code / \\
\mbox{}\hfill assembler machine code


\texttt{for} \;\textit{Id} \texttt{:=} \textit{AExp}\; \texttt{upto} \;\textit{AExp}\; \texttt{do} \textit{Block}

\texttt{for i := 2 upto 4 do \{}\\
\hspace{5mm}\texttt{write i}\\	


$Stmt$ & $\rightarrow$ &  $\text{skip}$\\
              & $|$ & $Id := AExp$\\
              & $|$ & $\text{if}\; B\!Exp \;\text{then}\; Block \;\text{else}\; Block$\\
              & $|$ & $\text{while}\; B\!Exp \;\text{do}\; Block$\\
               & $|$ & $\alert{\text{write}\; Id}$\\
                & $|$ & $\alert{\text{read}\; Id}$\medskip\\
$Stmts$ & $\rightarrow$ &  $Stmt \;\text{;}\; Stmts$\\
              & $|$ & $Stmt$\medskip\\
$Block$ & $\rightarrow$ &  $\{ Stmts \}$\\
                & $|$ & $Stmt$\medskip\\
$AExp$ & $\rightarrow$ & \ldots\\
$BExp$ & $\rightarrow$ & \ldots\\



$\text{eval}(n, E)$ & $\dn$ & $n$\\
$\text{eval}(x, E)$ & $\dn$ & $E(x)$ \;\;\;\textcolor{black}{lookup \bl{$x$} in \bl{$E$}}\\
$\text{eval}(a_1 + a_2, E)$ & $\dn$ & $\text{eval}(a_1, E) + \text{eval}(a_2, E)$\\
$\text{eval}(a_1 - a_2, E)$ & $\dn$ & $\text{eval}(a_1, E) - \text{eval}(a_2, E)$\\
$\text{eval}(a_1 * a_2, E)$ & $\dn$ & $\text{eval}(a_1, E) * \text{eval}(a_2, E)$\bigskip\\
$\text{eval}(a_1 = a_2, E)$ & $\dn$ & $\text{eval}(a_1, E) = \text{eval}(a_2, E)$\\
$\text{eval}(a_1\,!\!= a_2, E)$ & $\dn$ & $\neg(\text{eval}(a_1, E) = \text{eval}(a_2, E))$\\
$\text{eval}(a_1 < a_2, E)$ & $\dn$ & $\text{eval}(a_1, E) < \text{eval}(a_2, E)$\


Interpreter (2)

$\text{eval}(\text{skip}, E)$ & $\dn$ & $E$\\
$\text{eval}(x:=a, E)$ & $\dn$ & \bl{$E(x \mapsto \text{eval}(a, E))$}\\
\multicolumn{3}{@{}l@{}}{$\text{eval}(\text{if}\;b\;\text{then}\;cs_1\;\text{else}\;cs_2 , E) \dn$}\\
\multicolumn{3}{@{}l@{}}{$\text{eval}(\text{while}\;b\;\text{do}\;cs, E) \dn$}\\
\text{eval}(\text{while}\;b\;\text{do}\;cs, \text{eval}(cs,E))$}\\
\multicolumn{3}{@{}l@{}}{\hspace{2cm}$\text{else}\; E$}\\
$\text{eval}(\text{write}\; x, E)$ & $\dn$ & $\{\;\text{println}(E(x))\; ;\;E\;\}$\\


Compiling Writes

{\Large\bl{write $x$}}

.method public static write(I)V\hspace{1cm}\textcolor{black}{(library function)}\\ 
\;\;    .limit locals 5 \\
\;\;    .limit stack 5 \\
\;\;    iload 0 \\
\;\;    getstatic java/lang/System/out Ljava/io/PrintStream;\\ 
\;\;    swap \\
\;\;    invokevirtual java/io/PrintStream/println(I)V \\
\;\;    return \\
.end method\bigskip\bigskip\\
iload $E(x)$\\
invokestatic write(I)V\\



.class public XXX.XXX\\
.super java/lang/Object\\
.method public <init>()V\\
\;\;     aload\_0\\
\;\;     invokenonvirtual java/lang/Object/<init>()V\\
 \;\;    return\\
.end method\\
.method public static main([Ljava/lang/String;)V\\
\;\;   .limit locals 200\\
\;\;     .limit stack 200\\
   \textcolor{black}{(here comes the compiled code)}\\
\;\;     return\\
.end method\\



