EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

10.16.13

Linux Backdoors Revisited (New Revelations and Old Revelations)

Posted in GNU/Linux, Kernel, Security at 10:43 am by Dr. Roy Schestowitz

Claude Elwood Shannon, the man who introduced entropy

Claude Elwood Shannon

Summary: An anonymous backdooring attempt against Linux goes a decade back, but a randomisation problem in today’s Linux also seems possible (subverting encryption)

Jonathan Allen wrote this article about an incident mentioned also by Freedom to Tinker. Slashdot’s summary goes like this, documenting news from one decade ago:

“Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn’t like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: ‘if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) …’ A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said ‘= 0′ rather than ‘== 0′ so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it’s a classic backdoor. We don’t know who it was that made the attempt—and we probably never will. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. ‘Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,’ writes Felton. ‘Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.’”

Backdoors in Linux are a subject for jokes in Torvalds' mind, but given the above we should take this subject very seriously. In any system, for example, having no mechanism for randomness (like in some embedded devices) typically means that strong encryption (with high entropy) is not possible. Given new alleged “insecurities in the Linux /dev/random,” as Bruce Schneier put it, Linux backdoors seem possible again. David Benfell said:

I’m guessing Schneier knows what the fuck he’s talking about. If it is the same vulnerability, then Torvalds’ defense is that the vulnerable source of entropy is only one of many. But if I read Schneier correctly, the result was still too predictable.

“On the other hand,” says Benfell, “here’s Theodore T’so from the comments:”

So I’m the maintainer for Linux’s /dev/random driver. I’ve only had a chance to look at the paper very quickly, and I will at it more closely when I have more time, but what the authors of this paper seem to be worried about is not even close to the top of my list in terms of things I’m worried about.

First of all, the paper is incorrect in some minor details; the most significant error is its (untrue) claim that we stop gathering entropy when the entropy estimate for a given entropy pool is “full”. Before July 2012, we went into a trickle mode where we only took in 1 in 096 values. Since then, the main way that we gather entropy, which is via add_interrupt_randomness(), has no such limit. This means that we will continue to collect entropy even if the input pool is apparently “full”.

This is critical, because *secondly* their hypothetical attacks presume certain input distributions which have an incorrect entropy estimate —| that is, either zero actual entropy but a high entropy estimate, or a high entropy, but a low entropy estimate. There has been no attempt by the paper’s authors to determine whether the entropy gathered by Linux meets either of their hypothetical models, and in fact in the “Linux Pseudorandom Number Generator Revisited”[1], the analysis showed that our entropy estimator was actually pretty good, given the real-life inputs that we are able to obtain from an actual running Linux system.

[1]http://eprint.iacr.org/2012/251.pdf

The main thing which I am much more worried about is that on various embedded systems, which do not have a fine-grained clock, and which is reading from flash which has a much more deterministic timing for their operations, is that when userspace tries to generate long-term public keys immediately after the machine is taken out of the box and plugged in, that there isn’t a sufficient amount of entropy, and since most userspace applications use /dev/urandom since they don’t want to block, that they end up with keys that aren’t very random. We had some really serious problems with this, which was written up in the “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” [2]paper, and the changes made in July 2012 were specifically designed to address these worries.

[2]https://www.factorable.net/paper.html

However, it may be that on certain systems, in particular ARM and MIPS based systems, where a long-term public key is generated very shortly after the first power-on, that there’s enough randomness that the techniques used in [2]would not find any problems, but that might be not enough randomness to prevent our friends in Fort Meade from being able to brute force guess the possible public-private key pairs.

Speaking more generally, I’m a bit dubious about academic analysis which are primarily worried about recovering from the exposure of the state of the random pool. In practice, if the bad guy can grab the state of random pool, they probably have enough privileged access that they can do many more entertaining things, such as grabbing the user’s passphrase or their long-term private key. Trying to preserve the amount of entropy in the pool, and making sure that we can extract as much uncertainty from the system as possible, are much higher priority things to worry about.

That’s not to say that I might not make changes to /dev/random in reaction to academic analysis; I’ve made changes in reaction to [2], and I have changes queued for the next major kernel release up to make some changes to address concerns raised in [1]. However, protection against artificially constructed attacks is not the only thing which I am worried about. Things like making sure we have adequate entropy collection on all platforms, especially embedded ones, and adding some conservatism just in case SHA isn’t a perfect random function are some of the other things which I am trying to balance as we make changes to /dev/random.

T’so, who is the former CTO of the Linux Foundation, at least acknowledges the possibility that there is a real issue here.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Speculations That Microsoft is About to Buy Cyanogen (or at Least Officially Partner) to Attack Google's Android/Linux, Replacing Everything With Microsoft

    Articles in the corporate media and some analysis from smaller media sites serve to highlight the role which Microsoft plays in Cyanogen



  2. Links 28/3/2015: FoundationDB FOSS Shut Down by Apple, European Commission Support for Free Software

    Links for the day



  3. Microsoft Keeps Pretending to be 'Open Source', Despite Relentless Assaults on Open Source

    Microsoft's charm offensives against Free/libre software are proving to be rather effective, despite them involving a gross distortion of facts and exploitation of corruptible elements in the corporate media



  4. Željko Topić and Ivan Šimonović, Two Residues of Ivo Sanader's Corrupt Regime, Seen as Indirectly Connected

    Further exploration of the remnants of Sanader's highly notorious record and those whom he had brought to power before he landed in jail



  5. Links 27/3/2015: Ubuntu 15.04 Second Beta, Dart 1.9

    Links for the day



  6. The EPO's Dutch Scandal Leaves Battistelli and His Cronies on the Run

    EPO management is making concessions and issues statements which admit defeat, allowing the staff union to continue its activities



  7. Microsoft Won't Let People Wipe (Off) Windows But Happily Wipes Android, Wipes Android Apps Through Cyanogen and Blackmailed 'Partners'

    Microsoft's obscene double-standards leave Android and Linux between a rock and a hard place



  8. Links 26/3/2015: GNOME 3.16 Officially Released

    Links for the day



  9. Links 25/3/2015: India Moving to Free Software

    Links for the day



  10. Another Reason to Boycott UEFI: Back Doors or Crackers

    UEFI makes computers more prone to infections, according to some security experts



  11. The EPO's Administrative Council is Under Increased Pressure to Rein in and to Finally Stop Benoît Battistelli

    The EPO's Administrative Council (AC) is about to have a meeting, so the Member States' delegations are urged to call for action



  12. IRC Proceedings: February 22nd - March 21st, 2015

    Many IRC logs



  13. The Latest Microsoft Attacks on GNU/Linux and Free/Libre Software

    Microsoft is still hiding behind the façade of 'love' whilst actively attacking GNU/Linux and Free software from many directions



  14. Attempts to Disrupt Android by Pushing Microsoft Software Into It (Using Patent Blackmail and Cyanogen)

    Microsoft's Android coup d'état is succeeding owing to public apathy and poor comprehension of what Microsoft really is up to, partly due to media misdirection



  15. Links 24/3/2015: WebKitGTK+ 2.8.0, Black Lab Linux 6.5

    Links for the day



  16. Concerns Over Željko Topić's Alleged Powerful Links in Croatian Diplomacy

    Rikard Frgačić explains the powerful connections acquired though Ivan Šimonović, who is himself connected to EPO Vice-President Željko Topić



  17. Benoît Battistelli's EPO Comes Under Fire From Prominent Figures Who Are Key EPO Stakeholders, Expect Battistelli to Resign 'in the Longer Term'

    The ‘reign of terror’ which is primarily attributed to Battistelli and his cronies may be about to end; the Luxembourg parliament approves the Unified Patent Court



  18. Benoît Battistelli's EPO is Under Attack From French Politicians Yet Again

    More EPO interventions -- this time from France -- target Benoît Battistelli over his abuses and take it up to Eurocrats for political actions



  19. Bribes and Extortion Help Turn Android (Linux-powered) Into 'Microsoft Android'

    A strategy involving harassment and bribes drives large Android players into Microsoft's arms (PRISM and lock-in), much to Google's (and users') detriment and beyond regulators' range of visibility



  20. Microsoft-connected Black Duck Software Created by Microsoft Marketing Man as an Anti-GPL Operation, Admits the Management

    Black Duck "was founded [on] the idea ... to keep GPL-licensed code out of corporate codebases entirely," according to a new report



  21. Links 23/3/2015: Linux 4.0 RC5, Kubuntu Celebrates Ten Years

    Links for the day



  22. Microsoft Admits Lying (or Deceiving) About the Cost of Vista 10

    After much hype in the press about Windows being 'free' it turns out that Microsoft just lied yet again, leaving that lingering perception that Windows is as inexpensive as GNU/Linux



  23. Politics of Blackmail at the EPO

    Comments serve to highlight the role of bribes (or contrariwise blackmail), as allegedly exercised by the current management of the European Patent Office



  24. Benoît Battistelli's EPO Comes Under Attack From the British

    A British MEP criticises Battistelli and the management of the European Patent Office (EPO) while Baroness Lucy Neville-Rolfe, UK Minister for Intellectual Property, gets closer to Battistelli in a tactless effort to improve relations



  25. The Royal Norwegian Department of Labour on the Right of European Patent Office (EPO) Workers to Strike

    The role of bureaucrats from Norway in defending (or not) the rights of EPO workers -- rights that the EPO's management is actively trying to deny and punish for



  26. Michael Silver Back to Acting as Gartner's Microsoft Agent, Promoting Vista 10 Based on False Promises

    Vista 10 in the headlines as its marketing propaganda zones in on false perceptions around cost, aided in part by longtime foes of GNU/Linux such as Gartner, especially its Microsoft-embedded elements (Michael Silver and co-workers)



  27. Despite Media Propaganda About Security, Microsoft Windows Remains the Least Secure Operating System, by Design

    Amid highly misleading security-centric reports that rely on Microsoft's bogus number of vulnerabilities (Microsoft already admitted hiding many of them) Techrights presents recent news about Windows 'security'



  28. Canonical Goes to Bed With Company That Sues Linux Using Software Patents and Copyrights (Through SCO)

    Despite Microsoft's continued assault on GNU/Linux, Canonical is foolish enough to give Microsoft control over many Ubuntu instances



  29. Links 22/3/2015: GNOME 3.16 Shaping Up, LibrePlanet 2015

    Links for the day



  30. Microsoft Hates Linux - Part VI - Propaganda Wars Against Free Software Facilitated While Media Control is Secured and Abused

    How Microsoft systematically lies to the public, including decision-makers and officials who can be tricked into choosing proprietary software, thinking it is in fact "open"


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts