The way it works is the miner is a worker in the pool handling some of the processing duty to mine a block in the pool. The pool in effect would be like a giant worker directly pointed at the bitcoin network decrypting blocks. Each worker within that pool is identified and gets a share of the solved block. I think that is more or less the simplest explanation I can come up with.
That is the intended overall effect, OK; but I was asking about a technical implementation detail, to see whether a manufacturer can steal hashpower from a pool member.
AFAIK, the mining software periodically gathers a batch of unprocessed transactions into a candidate block, that includes a coinbase transaction directing the eventual reward to the pool's input address. Then the mining software sets one or more machines to work on that candidate block. The work consists in making a series of attempts. In each attempt, the nonce field in the block header is replaced by a different value, and the SHA-squared hash of the header is recomputed. If the hash value is below the network difficulty threshold, the attempt was successful and the block is broadcast to the bitcoin network, which credits the reward to the pool. Otherwise, if the hash is below the pool's difficulty threshold, the block and the hash value are sent to the pool, as proof of effort. Otherwise the attempt has no effect. Correct so far?
Now consider whether this attack by malicious mining software could be viable: in one attempt out of every six (or in one candidate block out of every six) the software replaces the coinbase output address by the thief's address. As before, if an attempt yields a hash below the network threshold, the block is broadcast to the bitcoin network. Otherwise, if the hash is below the pool's threshold
and the coinbase address is pointing at the pool, then block+hash are sent to the pool as proof of effort. Otherwise, the attempt has no effect.
If this attack could be set up, then the data seen by the pool would be consistent with the miner having only 5/6 of the hash power that he really has. Of every 6 successfully mined blocks, 5 would be credited to the pool, and 1 to the thief; but the pool will not notice the latter. If the miner is monitoring his performance exclusively through the pool's site, he will not notice the stolen blocks either -- only a loss of 1/6 of the hashpower.
Does this make sense?