EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

10.16.13

Linux Backdoors Revisited (New Revelations and Old Revelations)

Posted in GNU/Linux, Kernel, Security at 10:43 am by Dr. Roy Schestowitz

Claude Elwood Shannon, the man who introduced entropy

Claude Elwood Shannon

Summary: An anonymous backdooring attempt against Linux goes a decade back, but a randomisation problem in today’s Linux also seems possible (subverting encryption)

Jonathan Allen wrote this article about an incident mentioned also by Freedom to Tinker. Slashdot’s summary goes like this, documenting news from one decade ago:

“Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn’t like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: ‘if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) …’ A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said ‘= 0′ rather than ‘== 0′ so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it’s a classic backdoor. We don’t know who it was that made the attempt—and we probably never will. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. ‘Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,’ writes Felton. ‘Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.’”

Backdoors in Linux are a subject for jokes in Torvalds' mind, but given the above we should take this subject very seriously. In any system, for example, having no mechanism for randomness (like in some embedded devices) typically means that strong encryption (with high entropy) is not possible. Given new alleged “insecurities in the Linux /dev/random,” as Bruce Schneier put it, Linux backdoors seem possible again. David Benfell said:

I’m guessing Schneier knows what the fuck he’s talking about. If it is the same vulnerability, then Torvalds’ defense is that the vulnerable source of entropy is only one of many. But if I read Schneier correctly, the result was still too predictable.

“On the other hand,” says Benfell, “here’s Theodore T’so from the comments:”

So I’m the maintainer for Linux’s /dev/random driver. I’ve only had a chance to look at the paper very quickly, and I will at it more closely when I have more time, but what the authors of this paper seem to be worried about is not even close to the top of my list in terms of things I’m worried about.

First of all, the paper is incorrect in some minor details; the most significant error is its (untrue) claim that we stop gathering entropy when the entropy estimate for a given entropy pool is “full”. Before July 2012, we went into a trickle mode where we only took in 1 in 096 values. Since then, the main way that we gather entropy, which is via add_interrupt_randomness(), has no such limit. This means that we will continue to collect entropy even if the input pool is apparently “full”.

This is critical, because *secondly* their hypothetical attacks presume certain input distributions which have an incorrect entropy estimate —| that is, either zero actual entropy but a high entropy estimate, or a high entropy, but a low entropy estimate. There has been no attempt by the paper’s authors to determine whether the entropy gathered by Linux meets either of their hypothetical models, and in fact in the “Linux Pseudorandom Number Generator Revisited”[1], the analysis showed that our entropy estimator was actually pretty good, given the real-life inputs that we are able to obtain from an actual running Linux system.

[1]http://eprint.iacr.org/2012/251.pdf

The main thing which I am much more worried about is that on various embedded systems, which do not have a fine-grained clock, and which is reading from flash which has a much more deterministic timing for their operations, is that when userspace tries to generate long-term public keys immediately after the machine is taken out of the box and plugged in, that there isn’t a sufficient amount of entropy, and since most userspace applications use /dev/urandom since they don’t want to block, that they end up with keys that aren’t very random. We had some really serious problems with this, which was written up in the “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” [2]paper, and the changes made in July 2012 were specifically designed to address these worries.

[2]https://www.factorable.net/paper.html

However, it may be that on certain systems, in particular ARM and MIPS based systems, where a long-term public key is generated very shortly after the first power-on, that there’s enough randomness that the techniques used in [2]would not find any problems, but that might be not enough randomness to prevent our friends in Fort Meade from being able to brute force guess the possible public-private key pairs.

Speaking more generally, I’m a bit dubious about academic analysis which are primarily worried about recovering from the exposure of the state of the random pool. In practice, if the bad guy can grab the state of random pool, they probably have enough privileged access that they can do many more entertaining things, such as grabbing the user’s passphrase or their long-term private key. Trying to preserve the amount of entropy in the pool, and making sure that we can extract as much uncertainty from the system as possible, are much higher priority things to worry about.

That’s not to say that I might not make changes to /dev/random in reaction to academic analysis; I’ve made changes in reaction to [2], and I have changes queued for the next major kernel release up to make some changes to address concerns raised in [1]. However, protection against artificially constructed attacks is not the only thing which I am worried about. Things like making sure we have adequate entropy collection on all platforms, especially embedded ones, and adding some conservatism just in case SHA isn’t a perfect random function are some of the other things which I am trying to balance as we make changes to /dev/random.

T’so, who is the former CTO of the Linux Foundation, at least acknowledges the possibility that there is a real issue here.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Why Authorities in the Netherlands Need to Strip the EPO of Immunity and Investigate Fire Safety Violations

    How intimidation and crackdown on the staff representatives at the EPO may have led to lack of awareness (and action) about lack of compliance with fire safety standards



  2. Insensitivity at the EPO’s Management – Part IX: Testament to the Fear of an Autocratic Regime

    A return to the crucial observation and a reminder of the fact that at the EPO it takes great courage to say the truth nowadays



  3. For the Fordham Echo Chamber (Patent Maximalism), Judges From the EPO Boards of Appeal Are Not Worth Entertaining

    In an event steered if not stuffed by patent radicals such as Bristows and Microsoft (abusive, serial litigators) there are no balanced panels or even reasonable discussions



  4. EPO Staff Representatives Fired Using “Disciplinary Committee That Was Improperly Composed” as Per ILO's Decision

    The Board of the Administrative Council at European Patent Organisation is being informed of the union-busting activities of Battistelli -- activities that are both illegal (as per national and international standards) and are detrimental to the Organisation



  5. Links 23/4/2017: End of arkOS, Collabora Office 5.3 Released

    Links for the day



  6. Intellectual Discovery and Microsoft Feed Patent Trolls Like Intellectual Ventures Which Then Strategically Attack Rivals

    Like a swarm of blood-sucking bats, patent trolls prey on affluent companies that derive their wealth from GNU/Linux and freedom-respecting software (Free/libre software)



  7. The European Patent Office Has Just Killed a Cat (or Skinned a 'Kat')

    The EPO’s attack on the media, including us, resulted in a stream of misinformation and puff pieces about the EPO and UPC, putting at risk not just European democracy but also corrupting the European press



  8. Yann Ménière Resorts to Buzzwords to Recklessly Promote Floods of Patents, Dooming the EPO Amid Decline in Patent Applications

    Battistelli's French Chief Economist is not much of an economist but a patent maximalist toeing the party line of Monsieur Battistelli (lots of easy grants and litigation galore, for UPC hopefuls)



  9. Even Patent Bullies Like Microsoft and Facebook Find the Patent Trial and Appeal Board (PTAB) Useful

    Not just companies accused of patent infringement need the PTAB but also frequent accusers with deep pockets need the PTAB, based on some new figures and new developments



  10. Links 21/4/2017: Qt Creator 4.2.2, ROSA Desktop Fresh R9

    Links for the day



  11. At the EPO, Seeding of Puff Piece in the Press/Academia Sometimes Transparent Enough to View

    The EPO‘s PR team likes to 'spam' journalists and others (for PR) and sometimes does this publicly, as the tweets below show — a desperate recruitment and reputation laundering drive



  12. Affordable and Sophisticated Mobile Devices Are Kept Away by Patent Trolls and Aggressors That Tax Everything

    The war against commoditisation of mobile computing has turned a potentially thriving market with fast innovation rates into a war zone full of patent trolls (sometimes suing at the behest of large companies that hand them patents for this purpose)



  13. In Spite of Lobbying and Endless Attempts by the Patent Microcosm, US Supreme Court Won't Consider Any Software Patent Cases Anymore (in the Foreseeable Future)

    Lobbyists of software patents, i.e. proponents of endless litigation and patent trolls, are attempting to convince the US Supreme Court (SCOTUS) to have another look at abstract patents and reconsider its position on cases like Alice Corp. v CLS Bank International



  14. Expect Team UPC to Remain in Deep Denial About the Unitary Patent/Unified Court (UPC) Having No Prospects

    The prevailing denial that the UPC is effectively dead, courtesy of sites and blogs whose writers stood to profit from the UPC



  15. EPO in 2017: Erroneously Grant a Lot of Patents in Bulk or Get Sacked

    Quality of patent examination is being abandoned at the EPO and those who disobey or refuse to play along are being fired (or asked to resign to avoid forced resignations which would stain their record)



  16. Links 21/4/2017: System76 Entering Phase Three, KDE Applications 17.04, Elive 2.9.0 Beta

    Links for the day



  17. Bristows-Run IP Kat Continues to Spread Lies to Promote the Unitary Patent (UPC) and Advance the EPO Management's Agenda

    An eclectic response to some of the misleading if not villainous responses to the UPC's death knell in the UK, as well as other noteworthy observations about think tanks and misinformation whose purpose is to warp the patent system so that it serves law firms, for the most part at the expense of science and technology



  18. Links 20/4/2017: Tor Browser 6.5.2, PacketFence 7.0, New Firefox and Chrome

    Links for the day



  19. Patents on Business Methods and Software Are Collapsing, But the Patent Microcosm is Working Hard to Change That

    The never-ending battle over patent law, where those who are in the business of patents push for endless patenting, is still ongoing and resistance/opposition is needed from those who actually produce things (other than litigation) or else they will be perpetually taxed by parasites



  20. IAM, the Patent Trolls' Voice, is Trying to Deny There is a Growing Trolling Problem in Europe

    IAM Media (the EPO's and trolls' mouthpiece) continues a rather disturbing pattern of propaganda dressed up as "news", promoting the agenda of parasites who drain the economy by extortion of legitimate (producing) companies



  21. The Patent Microcosm Keeps Attacking Every Patent Office/System That is Doing the Right Thing

    Patent 'radicals' and 'extremists' -- those to whom patents are needed solely for the purpose of profit from bureaucracy -- fight hard against patent quality and in the process they harm everyone, including individual customers



  22. Another Final Nail in the UPC Coffin: UK General Election

    Ratification of the UPC in the UK can drag on for several more years and never be done thereafter, throwing into uncertainty the whole UPC (EU-wide) as we know it



  23. Links 19/4/2017: DockerCon Coverage, Ubuntu Switching to Wayland

    Links for the day



  24. Links 18/4/2017: Mesa 17.0.4, FFmpeg 3.3

    Links for the day



  25. Patents Roundup: Microsoft, Embargo, Tax Evasion, Surveillance, and Censorship

    An excess of patents and their overutilisation for purposes other than innovation (or dissemination of knowledge) means that society has much to lose, sometimes more than there is to gain



  26. How I Learned that Skype is a Spy Campaign (My Personal Story) -- by Yuval Levental

    Skype is now tracking serial numbers, too



  27. Links 17/4/2017: Devil Linux 1.8.0, GNU IceCat 52.0.2

    Links for the day



  28. EPO Patent Quality and Quality of Service Have Become a Disaster, Say EPO Stakeholders

    Stakeholders of the EPO, in various sites that attract them, are complaining about the service of the EPO, the declining quality of patents (and the rushed processes), including the fact that Battistelli's blind obsession with so-called 'production' dooms the already-up-in-flames EPO and makes it uncompetitive



  29. IAM is a Think Tank for Patent Trolls, Software Patents, the EPO, Microsoft, and Whoever Else is Willing to Pay

    The site where you get what you pay for continues to promote highly damaging agenda, which threatens to disrupt operations at a lot of legitimate companies that employ technical people



  30. An Australian Patent Troll, Global Equity Management (SA) Pty Ltd (GEMSA), is a Bully Not Just in the Patent Sense, Explains the EFF

    The mischievous troll GEMSA, which doesn't seem to get enough out of bullying real companies, is now attacking a civil rights group's free speech rights


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts