EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

10.16.13

Linux Backdoors Revisited (New Revelations and Old Revelations)

Posted in GNU/Linux, Kernel, Security at 10:43 am by Dr. Roy Schestowitz

Claude Elwood Shannon, the man who introduced entropy

Claude Elwood Shannon

Summary: An anonymous backdooring attempt against Linux goes a decade back, but a randomisation problem in today’s Linux also seems possible (subverting encryption)

Jonathan Allen wrote this article about an incident mentioned also by Freedom to Tinker. Slashdot’s summary goes like this, documenting news from one decade ago:

“Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn’t like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: ‘if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) …’ A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said ‘= 0′ rather than ‘== 0′ so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it’s a classic backdoor. We don’t know who it was that made the attempt—and we probably never will. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. ‘Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,’ writes Felton. ‘Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.’”

Backdoors in Linux are a subject for jokes in Torvalds' mind, but given the above we should take this subject very seriously. In any system, for example, having no mechanism for randomness (like in some embedded devices) typically means that strong encryption (with high entropy) is not possible. Given new alleged “insecurities in the Linux /dev/random,” as Bruce Schneier put it, Linux backdoors seem possible again. David Benfell said:

I’m guessing Schneier knows what the fuck he’s talking about. If it is the same vulnerability, then Torvalds’ defense is that the vulnerable source of entropy is only one of many. But if I read Schneier correctly, the result was still too predictable.

“On the other hand,” says Benfell, “here’s Theodore T’so from the comments:”

So I’m the maintainer for Linux’s /dev/random driver. I’ve only had a chance to look at the paper very quickly, and I will at it more closely when I have more time, but what the authors of this paper seem to be worried about is not even close to the top of my list in terms of things I’m worried about.

First of all, the paper is incorrect in some minor details; the most significant error is its (untrue) claim that we stop gathering entropy when the entropy estimate for a given entropy pool is “full”. Before July 2012, we went into a trickle mode where we only took in 1 in 096 values. Since then, the main way that we gather entropy, which is via add_interrupt_randomness(), has no such limit. This means that we will continue to collect entropy even if the input pool is apparently “full”.

This is critical, because *secondly* their hypothetical attacks presume certain input distributions which have an incorrect entropy estimate —| that is, either zero actual entropy but a high entropy estimate, or a high entropy, but a low entropy estimate. There has been no attempt by the paper’s authors to determine whether the entropy gathered by Linux meets either of their hypothetical models, and in fact in the “Linux Pseudorandom Number Generator Revisited”[1], the analysis showed that our entropy estimator was actually pretty good, given the real-life inputs that we are able to obtain from an actual running Linux system.

[1]http://eprint.iacr.org/2012/251.pdf

The main thing which I am much more worried about is that on various embedded systems, which do not have a fine-grained clock, and which is reading from flash which has a much more deterministic timing for their operations, is that when userspace tries to generate long-term public keys immediately after the machine is taken out of the box and plugged in, that there isn’t a sufficient amount of entropy, and since most userspace applications use /dev/urandom since they don’t want to block, that they end up with keys that aren’t very random. We had some really serious problems with this, which was written up in the “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” [2]paper, and the changes made in July 2012 were specifically designed to address these worries.

[2]https://www.factorable.net/paper.html

However, it may be that on certain systems, in particular ARM and MIPS based systems, where a long-term public key is generated very shortly after the first power-on, that there’s enough randomness that the techniques used in [2]would not find any problems, but that might be not enough randomness to prevent our friends in Fort Meade from being able to brute force guess the possible public-private key pairs.

Speaking more generally, I’m a bit dubious about academic analysis which are primarily worried about recovering from the exposure of the state of the random pool. In practice, if the bad guy can grab the state of random pool, they probably have enough privileged access that they can do many more entertaining things, such as grabbing the user’s passphrase or their long-term private key. Trying to preserve the amount of entropy in the pool, and making sure that we can extract as much uncertainty from the system as possible, are much higher priority things to worry about.

That’s not to say that I might not make changes to /dev/random in reaction to academic analysis; I’ve made changes in reaction to [2], and I have changes queued for the next major kernel release up to make some changes to address concerns raised in [1]. However, protection against artificially constructed attacks is not the only thing which I am worried about. Things like making sure we have adequate entropy collection on all platforms, especially embedded ones, and adding some conservatism just in case SHA isn’t a perfect random function are some of the other things which I am trying to balance as we make changes to /dev/random.

T’so, who is the former CTO of the Linux Foundation, at least acknowledges the possibility that there is a real issue here.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Nothing Whatsoever Has Improved at the European Patent Office, It's Just Summer's Recess (and Silence)

    The European Patent Office (EPO) has done absolutely nothing to improve the work atmosphere, it just alters the marketing strategy somewhat



  2. Links 28/8/2016: Q4OS 1.6, ConnochaetOS 14.2

    Links for the day



  3. The United States Has Gotten Over Software Patents

    A roundup of new articles about software patents in the United States, 2 years into the post-Alice era (the US Supreme Court deeming patents on software too abstract to have merit)



  4. More Lies From President Benoît Battistelli and the EPO Crisis Which Continues to Deepen

    The European Patent Office (EPO), collectively speaking, is still wrestling with a Battistelli infiltration (a circle of high-level managers) which habitually lies and viciously attacks those who dare counter these lies



  5. Links 27/8/2016: Torvalds and GPL, “DOD Must Embrace Open-Source Software”

    Links for the day



  6. Links 26/8/2016: Maru OS Resurfaces, Android More Reliable Than 'i' Things, PC-BSD Becomes TrueOS

    Links for the day



  7. Good Job, David Kappos, Says the 'Boss' (IBM)

    Responses to the latest call against Alice (eliminator of many software patents), courtesy of the man from IBM (still paid by IBM) who was responsible for the policy that blindly approved a lot of software patents in the US



  8. Being for Patent Quality or Against Patenting Excess Does Not Make You Anti-Patents

    Like IAM, which tries to portray sceptics and critics of software patents as "anti-patents", IP Watchdog (or Watchtroll as we call it) is 'trolling' the Electronic Frontier Foundation, simply because it expressed an opinion that patent maximalists cannot tolerate



  9. Erosion of Patent Quality Enables Patent Extortion With Large Portfolios of Low Validity Rate

    Revisiting the EPO's vision of poor patent examination and the effect of discriminatory granting practices, favouring patent bullies such as Microsoft (which actively attacks Linux using low-quality and usually pure software patents)



  10. The EPO's Francesco Zaccà Presenting in Turin Alongside Patent Trolls (Like the Patent Mafia Sisvel) and Lobbyists/Front Groups for Software Patents, UPC

    Benjamin Henrion (FFII) on seeing the EPO alongside patent trolls and other nefarious actors, doing what they do best, which is undermining public interests and harming patent quality



  11. The EPO, USPTO, and Patent Microcosm Peddle Myths About Patents in Public Universities and Research

    Tackling some of the commonly-spread myths about patents as "saving lives" and "promoting research" (in practice leading to the death of poor people and promoting trolls)



  12. Large Corporations' Lobbyist David Kappos Disgraces Former Employer USPTO by Meddling in Their Affairs on Software Patents, Downplaying the Supreme Court

    The latest lobbying from David Kappos, who blatantly exploits his connections in patent circles to promote software patents and work towards their resurgence after Alice v CLS Bank



  13. Journal of Intellectual Property Law and Practice Calls the European Patent Office “Rotten”, Other Sources Scrutinise Recent Moves

    The patent office which was once known for being the best bar none is rotting under the Frenchman Benoît Battistelli, who made himself and his friends the main clients of the Office



  14. PTAB Emerges as Hero of USPTO Because Quality of Patents Improves, Software Patents Are Effectively Dead (or Dying Once Reassessed)

    With help from the Patent Trial and Appeal Board (PTAB) -- not just patent courts -- software patents drop like flies by the thousands



  15. Creative Technology, Now Operating in 'Patent Troll' Mode, Shot Down by the ITC; Jawbone Too Shot Down

    Some good news from the U.S. International Trade Commission (ITC), which may have put an end to Creative's new war on Android (using old patents)



  16. Corporate Media in India Misrepresents Startups to Push for Software Patents

    A parade of misinformation as seen in Indian (but English-speaking) press this week as questions about patentability of software resurface



  17. Links 25/8/2016: Linux Turns 25, NetworkManager Turns 1.4

    Links for the day



  18. Links 24/8/2016: More From LinuxCon, Uganda Wants FOSS

    Links for the day



  19. Links 23/8/2016: GNOME 3.22 Beta, Android 7.0 Nougat

    Links for the day



  20. The Linux Foundation Gives Microsoft (Paid-for) Keynote Position While Microsoft Extorts (With Patents) Lenovo and Motorola Over Linux Use

    This morning's reminder that Nadella is just another Ballmer (with a different face); Motorola and Lenovo surrender to Microsoft's patent demands and will soon put Microsoft spyware/malware on their Linux-powered products to avert costly legal battles



  21. Not Just President Battistelli: EPO Vice-Presidents Are Still Intentionally Misrepresenting EPO Staff

    Evidence serving to show that EPO Vice-Presidents are still intentionally misrepresenting EPO staff representatives and misleading everyone in order to defend Battistelli



  22. Battistelli the Liar Causes a Climate of Confrontation in French Politics, Lies About Patent Quality (Among Many Other Things)

    Battistelli's lies are coming under increased scrutiny inside and outside the European Patent Office (EPO), where patent quality has been abandoned in order to artificially elevate figures



  23. The Collapse of Software Patents and Patent Law Firms Trying to “Overcome” Alice

    The United States continues its gradual crackdown on software patents (which are viewed as abstract and thus unpatentable), whereas in Europe things are murkier than ever



  24. Apple's Patent Wars Against Android/Linux Make Patent Trolls Stronger

    Apple's insistence that designs should be patentable could prove to be collectively expensive, as patent trolls would then use a possible SCOTUS nod to launch litigation campaigns



  25. Links 22/8/2016: Linux 4.8 RC3, Linux Mint 18 “Sarah” KDE Beta

    Links for the day



  26. Links 21/8/2016: Apple and Microsoft Down, Systemd Spreading to Mount

    Links for the day



  27. Links 20/8/2016: Android Domination, FSFE summit 2016

    Links for the day



  28. Patents Roundup: Trolls Dominate Litigation, PTAB Crushes Patents, Patent Box Regime Persists, and OIN Explains Itself

    Another roundup of patent news from around the Web with special focus on software patenting



  29. The Cost/Toll of the 'New' EPO and Where All That Money Goes or Comes From

    The European Patent Office has become a servant of the rich and powerful (including large foreign corporations) and even its own employees now pay the price associated with misguided new policies (or 'reforms' as Battistelli habitually refers to these)



  30. Links 19/8/2016: Linux Mint With KDE, Linux Foundation's PNDA

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts