Alan Hargreaves' Blog

The ramblings of an Australian SaND TSC* Principal Field Technologist

University antics and other associated humour

John Haslam reminded me of some of the things that we got up to in the days that I was at Uni.

The first one we did to a tutor who left himself logged in. This was in a lab that was using vt100 compatible terminals. The end result was that the tutor found that every third time he logged in, ten minutes after he logged in, his character set would change to graphics mode. He only twigged when he found a file in /var/tmp that he owned that had a number in it.

VMS and file versioning offered all kinds of opportunties. One such was to create multiple versions of login.com that would do their job and then remove themselves. One set of these would do the following.

  1. Say something like “You shouldn’t leave yourself logged in. Someone could come and remove all of your files… Like this”, it would then proceed to display output that looked like all files and directories were being removed, then remove itself.
  2. The next login.com would simply define dir as something like dir/exclude=*.*.* and then remove itself. No matter what kind of arguments they did to dir, it would show nothing.
  3. The next one would simply write something like “Deleting account”, remove itself and logout
  4. The final one would simply remove itself then logout, leaving the account as if it had never been touched

By this time the frantic student would be contacting the admins to find out what had happened to their account. Of course, the account looked fine.

I was then reminded of the account of Robin Hood and Friar Tuck which I have reproduced below.

Back in the mid-1970s, several of the system support staff at
Motorola discovered a relatively simple way to crack system
security on the Xerox CP-V timesharing system. Through a simple
programming strategy, it was possible for a user program to trick
the system into running a portion of the program in `master mode’
(supervisor state), in which memory protection does not apply. The
program could then poke a large value into its `privilege level’
byte (normally write-protected) and could then proceed to bypass
all levels of security within the file-management system, patch the
system monitor, and do numerous other interesting things. In
short, the barn door was wide open.

Motorola quite properly reported this problem to Xerox via an
official `level 1 SIDR’ (a bug report with an intended urgency of
`needs to be fixed yesterday’). Because the text of each SIDR was
entered into a database that could be viewed by quite a number of
people, Motorola followed the approved procedure: they simply
reported the problem as `Security SIDR’, and attached all of the
necessary documentation, ways-to-reproduce, etc.

The CP-V people at Xerox sat on their thumbs; they either didn’t
realize the severity of the problem, or didn’t assign the necessary
operating-system-staff resources to develop and distribute an
official patch.

Months passed. The Motorola guys pestered their Xerox
field-support rep, to no avail. Finally they decided to take
direct action, to demonstrate to Xerox management just how easily
the system could be cracked and just how thoroughly the security
safeguards could be subverted.

They dug around in the operating-system listings and devised a
thoroughly devilish set of patches. These patches were then
incorporated into a pair of programs called `Robin Hood’ and `Friar
Tuck’. Robin Hood and Friar Tuck were designed to run as `ghost
jobs’ (daemons, in UNIX terminology); they would use the existing
loophole to subvert system security, install the necessary patches,
and then keep an eye on one another’s statuses in order to keep the
system operator (in effect, the superuser) from aborting them.

One fine day, the system operator on the main CP-V software
development system in El Segundo was surprised by a number of
unusual phenomena. These included the following:

  • Tape drives would rewind and dismount their tapes in the
    middle of a job.
  • Disk drives would seek back and forth so rapidly that they
    would attempt to walk across the floor (see {walking drives}).
  • The card-punch output device would occasionally start up of
    itself and punch a {lace card}. These would usually jam in
    the punch.
  • The console would print snide and insulting messages from
    Robin Hood to Friar Tuck, or vice versa.
  • The Xerox card reader had two output stackers; it could be
    instructed to stack into A, stack into B, or stack into A
    (unless a card was unreadable, in which case the bad card was
    placed into stacker B). One of the patches installed by the
    ghosts added some code to the card-reader driver… after
    reading a card, it would flip over to the opposite stacker.
    As a result, card decks would divide themselves in half when
    they were read, leaving the operator to recollate them
    manually.

Naturally, the operator called in the operating-system developers.
They found the bandit ghost jobs running, and X’ed them… and were
once again surprised. When Robin Hood was X’ed, the following
sequence of events took place:

!X id1
id1: Friar Tuck... I am under attack!  Pray save me!
id1: Off (aborted)
id2: Fear not, friend Robin!  I shall rout the Sheriff
of Nottingham's men!
id1: Thank you, my good fellow!

Each ghost-job would detect the fact that the other had been
killed, and would start a new copy of the recently slain program
within a few milliseconds. The only way to kill both ghosts was to
kill them simultaneously (very difficult) or to deliberately crash
the system.

Finally, the system programmers did the latter — only to find
that the bandits appeared once again when the system rebooted! It
turned out that these two programs had patched the boot-time OS
image (the kernel file, in UNIX terms) and had added themselves to
the list of programs that were to be started at boot time.

The Robin Hood and Friar Tuck ghosts were finally eradicated when
the system staff rebooted the system from a clean boot-tape and
reinstalled the monitor. Not long thereafter, Xerox released a
patch for this problem.

It is alleged that Xerox filed a complaint with Motorola’s management
about the merry-prankster actions of the two employees in question.
It is not recorded that any serious disciplinary action was taken
against either of them.

Advertisements

Written by Alan

June 22, 2004 at 7:33 pm

Posted in General

%d bloggers like this: