This repository implements the Reflections on Trusting Trust (RoTT) attack in TinyCC. It has two trojans that it can inject into other programs, namely:
- It will cause the
login.cfile in thetests_rottdirectory to unconditionally allow a user identifying as"ken"to login. - It will cause the
sutoy in (my fork of) Toybox to unconditionally succeed when using the password"ken".
Furthermore, this fork of TinyCC can be used to compile a "clean" copy of TinyCC
(commit 6120656), and it will propagate the two trojans to the newly built
compiler.
The source for the trojans is in tccpp_rott-pre.inc, which is processed by
tccpp_rott-gen.py to be included in tccpp.c. The trojans match based on a
trigger string expected to be in the file, along with the name of the file
itself. Note that filenames are matched based on their entire path given on the
command line. So, for example, compiling login.c could potentially cause its
trojan to activate, but compiling ./login.c won't.