Fun_People Archive
8 Apr
Xerox and the Merry Men


Date: Sat,  8 Apr 95 14:26:33 PDT
From: Peter Langston <psl>
To: Fun_People
Subject: Xerox and the Merry Men

[Here's a typical good-old-days anecdote.  It may be hard for younger
 Fun_People to imagine, but things really were this relaxed once... -psl]

Forwarded-by: bostic@CS.Berkeley.EDU (Keith Bostic)
Forwarded-by: Dave Del Torto <ddt@lsd.com>

Back in the mid-1970s, several of the system support staff at Motorola
discovered a relatively simple way to crack system security on the Xerox
CP-V timesharing system. Through a simple programming strategy, it was
possible for a user program to trick the system into running a portion of
the program in `master mode' (supervisor state), in which memory protection
does not apply. The program could then poke a large value into its
`privilege level' byte (normally write-protected) and could then proceed to
bypass all levels of security within the file-management system, patch the
system monitor, and do numerous other interesting things. In short, the
barn door was wide open.

Motorola quite properly reported this problem to Xerox via an official
`level 1 SIDR' (a bug report with an intended urgency of `needs to be fixed
yesterday'). Because the text of each SIDR was entered into a database that
could be viewed by quite a number of people, Motorola followed the approved
procedure: they simply reported the problem as `Security SIDR', and
attached all of the necessary documentation, ways-to-reproduce, etc.

The CP-V people at Xerox sat on their thumbs; they either didn't realize
the severity of the problem, or didn't assign the necessary
operating-system-staff resources to develop and distribute an official
patch.

Months passed. The Motorola guys pestered their Xerox field-support rep, to
no avail. Finally they decided to take direct action, to demonstrate to
Xerox management just how easily the system could be cracked and just how
thoroughly the security safeguards could be subverted.

They dug around in the operating-system listings and devised a thoroughly
devilish set of patches. These patches were then incorporated into a pair
of programs called `Robin Hood' and `Friar Tuck'. Robin Hood and Friar Tuck
were designed to run as `ghost jobs' (daemons, in UNIX terminology); they
would use the existing loophole to subvert system security, install the
necessary patches, and then keep an eye on one another's statuses in order
to keep the system operator (in effect, the superuser) from aborting them.

One fine day, the system operator on the main CP-V software development
system in El Segundo was surprised by a number of unusual phenomena. These
included the following:

   * Tape drives would rewind and dismount their tapes in the
     middle of a job.
   * Disk drives would seek back and forth so rapidly that they
     would attempt to walk across the floor (see {walking drives}).
   * The card-punch output device would occasionally start up of
     itself and punch a {lace card}.  These would usually jam in
     the punch.
   * The console would print snide and insulting messages from
     Robin Hood to Friar Tuck, or vice versa.
   * The Xerox card reader had two output stackers; it could be
     instructed to stack into A, stack into B, or stack into A
     (unless a card was unreadable, in which case the bad card was
     placed into stacker B).  One of the patches installed by the
     ghosts added some code to the card-reader driver... after
     reading a card, it would flip over to the opposite stacker.
     As a result, card decks would divide themselves in half when
     they were read, leaving the operator to recollate them
     manually.

Naturally, the operator called in the operating-system developers. They
found the bandit ghost jobs running, and X'ed them... and were once again
surprised. When Robin Hood was X'ed, the following sequence of events took
place:

     !X id1

     id1: Friar Tuck... I am under attack!  Pray save me!
     id1: Off (aborted)

     id2: Fear not, friend Robin!  I shall rout the Sheriff
          of Nottingham's men!

     id1: Thank you, my good fellow!

Each ghost-job would detect the fact that the other had been killed, and
would start a new copy of the recently slain program within a few
milliseconds. The only way to kill both ghosts was to kill them
simultaneously (very difficult) or to deliberately crash the system.

Finally, the system programmers did the latter -- only to find that the
bandits appeared once again when the system rebooted! It turned out that
these two programs had patched the boot-time OS image (the kernel file, in
UNIX terms) and had added themselves to the list of programs that were to
be started at boot time.

The Robin Hood and Friar Tuck ghosts were finally eradicated when the
system staff rebooted the system from a clean boot-tape and reinstalled the
monitor. Not long thereafter, Xerox released a patch for this problem.

It is alleged that Xerox filed a complaint with Motorola's management about
the merry-prankster actions of the two employees in question. It is not
recorded that any serious disciplinary action was taken against either of
them.



[=] © 1995 Peter Langston []