EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

10.16.13

Linux Backdoors Revisited (New Revelations and Old Revelations)

Posted in GNU/Linux, Kernel, Security at 10:43 am by Dr. Roy Schestowitz

Claude Elwood Shannon, the man who introduced entropy

Claude Elwood Shannon

Summary: An anonymous backdooring attempt against Linux goes a decade back, but a randomisation problem in today’s Linux also seems possible (subverting encryption)

Jonathan Allen wrote this article about an incident mentioned also by Freedom to Tinker. Slashdot’s summary goes like this, documenting news from one decade ago:

“Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn’t like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: ‘if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) …’ A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said ‘= 0′ rather than ‘== 0′ so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it’s a classic backdoor. We don’t know who it was that made the attempt—and we probably never will. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. ‘Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,’ writes Felton. ‘Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.’”

Backdoors in Linux are a subject for jokes in Torvalds' mind, but given the above we should take this subject very seriously. In any system, for example, having no mechanism for randomness (like in some embedded devices) typically means that strong encryption (with high entropy) is not possible. Given new alleged “insecurities in the Linux /dev/random,” as Bruce Schneier put it, Linux backdoors seem possible again. David Benfell said:

I’m guessing Schneier knows what the fuck he’s talking about. If it is the same vulnerability, then Torvalds’ defense is that the vulnerable source of entropy is only one of many. But if I read Schneier correctly, the result was still too predictable.

“On the other hand,” says Benfell, “here’s Theodore T’so from the comments:”

So I’m the maintainer for Linux’s /dev/random driver. I’ve only had a chance to look at the paper very quickly, and I will at it more closely when I have more time, but what the authors of this paper seem to be worried about is not even close to the top of my list in terms of things I’m worried about.

First of all, the paper is incorrect in some minor details; the most significant error is its (untrue) claim that we stop gathering entropy when the entropy estimate for a given entropy pool is “full”. Before July 2012, we went into a trickle mode where we only took in 1 in 096 values. Since then, the main way that we gather entropy, which is via add_interrupt_randomness(), has no such limit. This means that we will continue to collect entropy even if the input pool is apparently “full”.

This is critical, because *secondly* their hypothetical attacks presume certain input distributions which have an incorrect entropy estimate —| that is, either zero actual entropy but a high entropy estimate, or a high entropy, but a low entropy estimate. There has been no attempt by the paper’s authors to determine whether the entropy gathered by Linux meets either of their hypothetical models, and in fact in the “Linux Pseudorandom Number Generator Revisited”[1], the analysis showed that our entropy estimator was actually pretty good, given the real-life inputs that we are able to obtain from an actual running Linux system.

[1]http://eprint.iacr.org/2012/251.pdf

The main thing which I am much more worried about is that on various embedded systems, which do not have a fine-grained clock, and which is reading from flash which has a much more deterministic timing for their operations, is that when userspace tries to generate long-term public keys immediately after the machine is taken out of the box and plugged in, that there isn’t a sufficient amount of entropy, and since most userspace applications use /dev/urandom since they don’t want to block, that they end up with keys that aren’t very random. We had some really serious problems with this, which was written up in the “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” [2]paper, and the changes made in July 2012 were specifically designed to address these worries.

[2]https://www.factorable.net/paper.html

However, it may be that on certain systems, in particular ARM and MIPS based systems, where a long-term public key is generated very shortly after the first power-on, that there’s enough randomness that the techniques used in [2]would not find any problems, but that might be not enough randomness to prevent our friends in Fort Meade from being able to brute force guess the possible public-private key pairs.

Speaking more generally, I’m a bit dubious about academic analysis which are primarily worried about recovering from the exposure of the state of the random pool. In practice, if the bad guy can grab the state of random pool, they probably have enough privileged access that they can do many more entertaining things, such as grabbing the user’s passphrase or their long-term private key. Trying to preserve the amount of entropy in the pool, and making sure that we can extract as much uncertainty from the system as possible, are much higher priority things to worry about.

That’s not to say that I might not make changes to /dev/random in reaction to academic analysis; I’ve made changes in reaction to [2], and I have changes queued for the next major kernel release up to make some changes to address concerns raised in [1]. However, protection against artificially constructed attacks is not the only thing which I am worried about. Things like making sure we have adequate entropy collection on all platforms, especially embedded ones, and adding some conservatism just in case SHA isn’t a perfect random function are some of the other things which I am trying to balance as we make changes to /dev/random.

T’so, who is the former CTO of the Linux Foundation, at least acknowledges the possibility that there is a real issue here.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. EPO at a Tipping Point: Battistelli Quarrelling With French Politicians, Administrative Council Urged to Act, Staff Unrest Peaking

    The latest messages about Battistelli's regime at the EPO, which faces growing opposition from more directions than ever before



  2. Quality of Patents at the EPO Dependent on the Appeal Boards When Battistelli Assesses Performance Using the Wrong 'Production' Yardstick

    A look at some recent articles regarding patent quality in the US and in Europe, in particular because of growing trouble at today's EPO, which marginalises the appeal boards



  3. Microsoft's Push for Software Patents Another Reminder That There is No 'New' Microsoft

    Microsoft's continued fascination with and participation in the effort to undermine Alice so as to make software patents, which the company uses to blackmail GNU/Linux vendors, widely acceptable and applicable again



  4. Links 5/12/2016: SparkyLinux 4.5 Released, Kondik Exits Cyanogen (Destroyed After Microsoft Deal)

    Links for the day



  5. Software Patents Continue Their Invalidation Process, But Patent Law Firms Try to Deny This in Order to Attract Misinformed (or Poorly-Informed) Clients

    A roundup of news about software patents and demonstration of the sheer bias in the media, which is mostly controlled or steered by the patent microcosm rather than actual inventors



  6. Patent Trolls of Microsoft and Ericsson Are Trying to Tax Everything, Especially Linux Devices

    An update on Intellectual Ventures and Unwired Planet, whose operations pose a growing problem for Free software and Linux-based products (e.g. Android)



  7. Asia's Patent Litigation Chaos Getting Worse, Reaching Countries in the West, and Sites Like IAM Actively Promote This

    The race to the bottom (of patent quality) in China, the growth of patent trolls in the region, and the ruinous litigation strategy which now spills over even to the US -- through the Eastern District of Texas -- and may inevitably come to Europe (especially if the UPC ever becomes a reality)



  8. More French Politicians Are Complaining That Benoît Battistelli is a Disgrace to France and Urge for Action

    The backlash against Battistelli spills well outside the EPO and is now apparent even at the French National Assembly



  9. Links 3/12/2016: Mageia 5.1 Released, Mozilla Revenue at $421.3M

    Links for the day



  10. Canadian Intellectual Property Office (CIPO) Sees Decline in Patent Applications and It May Actually be a Good Thing

    Challenging the false belief that the more patents society has the better off it will be, citing examples and news from north America



  11. Blockchain Domain Infested With Software Patents, MasterCard Among the Culprits

    Worrying signs that an area of Free/Open Source software innovation is getting impacted by the plague of software patents



  12. Dutch Media Covers Latest EPO Scandals, German Media Totally Absent (a Media Blackout of Convenience)

    Our observations regarding the apparent media disinterest in EPO scandals, especially at the very core of the EPO (principal host country)



  13. Relocating the Boards of Appeal to Haar is a Poisonous Priority at Battistelli's EPO

    Revisiting Battistelli's effort to chop off the appeal boards that are necessary for ensuring patent quality at the EPO



  14. Links 2/12/2016: Mint Betas, Chrome 55, KDevelop 5.0.3, PHP 7.1.0

    Links for the day



  15. The Rule of Law and Justice Don't Exist Inside the EPO, Confirms the International Labour Organisation (ILO)

    Further analysis of the latest rulings from the ILO -- decisions that were long expected



  16. A Day in the Life of... Battistelli's Banana Republic

    This is part 5 of a fictional diary from the EPO



  17. Links 1/12/2016: Devuan Beta, R3 Liberates Code

    Links for the day



  18. Two ILO Decisions on EPO Cases Are Released, at Least One Judgment is Considered Good for Staff

    Years later (as justice is too slow, partly because of the EPO, being the principal culprit that clogs up the ILO's tribunal system) there is a couple of new judgments about EPO abuses against staff



  19. Dutch and French Politicians Complain About the European Patent Office, British Media Coverage Regular Now

    Pressure from the political systems, the scientific community and from the media is growing, as it becomes abundantly apparent that the EPO cannot go on like this



  20. Links 30/11/2016: Git 2.11, GOG Surprise Tomorrow

    Links for the day



  21. The UPC Scam Part IV: Bumps Along the Road for UPC, With or Without the UK and Brexit

    A sobering reality check regarding the UPC, no matter what Lucy Neville-Rolfe says under pressure from Battistelli and some selfish law firms that are based in London



  22. The UPC Scam Part III: The “Patent Mafia”

    Bigwigs like Lucy Neville-Rolfe and Benoît Battistelli, together with Team UPC and its tiny minority interests (self enrichment), are conspiring to hijack the laws of Europe, doing so across many national borders with unique and locally-steered patent policy in one fell swoop



  23. The UPC Scam Part II: The Patent Echo Chamber at Work, Prematurely Congratulating Itself in Its 'News' Sites





  24. The UPC Scam Part I: EPO-Bribed Media Outlets Lie to Brits (and to Europeans) About the UPC

    An introductory article in a multi-part series about UPC at times of Brexit and Lucy Neville-Rolfe's bizarre sellout to Battistelli



  25. European Public Service Union Asks EPO Administrative Council “to Re-establish the Rule of Law at the European Patent Office”

    The chinchillas of the Administrative Council are assertively asked to tackle the abusive management of the EPO, which gets condemned not only by CERN but also EPSU, which is working with the Dutch government to end lawlessness at the EPO



  26. Links 29/11/2016: Core Apps Hackfest, MuckRock Goes FOSS

    Links for the day



  27. ILOAT Decisions: Upcoming Publication of Two EPO Cases (Abuse Against Staff)

    Reminder about tomorrow's "exceptional public delivery" from the International Labour Organisation (ILO) and a request for additional information



  28. Mixing Politics and EPO: How Battistelli Defies the Very Basic Rules of the Office

    A reminder of the fact that Battistelli was entrenched in French politics even while he was serving at the EPO



  29. EPO DG1 Principal Director “Out of the Muppet Show”

    The ridicule of EPO management is a symptom of a poisonous work environment which now resembles an assembly line of bad patents, where employees are treated unfairly, severely, and in clear defiance of labour laws



  30. Learning From the Mistakes of the US Patent System (and More Latterly China) When Assessing Patent Maximalism

    The warning signs coming both from the East and from the West, demonstrating the pitfalls of a policy too permissive on patents and thus on litigation


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts