EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

10.16.13

Linux Backdoors Revisited (New Revelations and Old Revelations)

Posted in GNU/Linux, Kernel, Security at 10:43 am by Dr. Roy Schestowitz

Claude Elwood Shannon, the man who introduced entropy

Claude Elwood Shannon

Summary: An anonymous backdooring attempt against Linux goes a decade back, but a randomisation problem in today’s Linux also seems possible (subverting encryption)

Jonathan Allen wrote this article about an incident mentioned also by Freedom to Tinker. Slashdot’s summary goes like this, documenting news from one decade ago:

“Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn’t like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: ‘if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) …’ A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said ‘= 0′ rather than ‘== 0′ so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it’s a classic backdoor. We don’t know who it was that made the attempt—and we probably never will. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. ‘Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,’ writes Felton. ‘Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.’”

Backdoors in Linux are a subject for jokes in Torvalds' mind, but given the above we should take this subject very seriously. In any system, for example, having no mechanism for randomness (like in some embedded devices) typically means that strong encryption (with high entropy) is not possible. Given new alleged “insecurities in the Linux /dev/random,” as Bruce Schneier put it, Linux backdoors seem possible again. David Benfell said:

I’m guessing Schneier knows what the fuck he’s talking about. If it is the same vulnerability, then Torvalds’ defense is that the vulnerable source of entropy is only one of many. But if I read Schneier correctly, the result was still too predictable.

“On the other hand,” says Benfell, “here’s Theodore T’so from the comments:”

So I’m the maintainer for Linux’s /dev/random driver. I’ve only had a chance to look at the paper very quickly, and I will at it more closely when I have more time, but what the authors of this paper seem to be worried about is not even close to the top of my list in terms of things I’m worried about.

First of all, the paper is incorrect in some minor details; the most significant error is its (untrue) claim that we stop gathering entropy when the entropy estimate for a given entropy pool is “full”. Before July 2012, we went into a trickle mode where we only took in 1 in 096 values. Since then, the main way that we gather entropy, which is via add_interrupt_randomness(), has no such limit. This means that we will continue to collect entropy even if the input pool is apparently “full”.

This is critical, because *secondly* their hypothetical attacks presume certain input distributions which have an incorrect entropy estimate —| that is, either zero actual entropy but a high entropy estimate, or a high entropy, but a low entropy estimate. There has been no attempt by the paper’s authors to determine whether the entropy gathered by Linux meets either of their hypothetical models, and in fact in the “Linux Pseudorandom Number Generator Revisited”[1], the analysis showed that our entropy estimator was actually pretty good, given the real-life inputs that we are able to obtain from an actual running Linux system.

[1]http://eprint.iacr.org/2012/251.pdf

The main thing which I am much more worried about is that on various embedded systems, which do not have a fine-grained clock, and which is reading from flash which has a much more deterministic timing for their operations, is that when userspace tries to generate long-term public keys immediately after the machine is taken out of the box and plugged in, that there isn’t a sufficient amount of entropy, and since most userspace applications use /dev/urandom since they don’t want to block, that they end up with keys that aren’t very random. We had some really serious problems with this, which was written up in the “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” [2]paper, and the changes made in July 2012 were specifically designed to address these worries.

[2]https://www.factorable.net/paper.html

However, it may be that on certain systems, in particular ARM and MIPS based systems, where a long-term public key is generated very shortly after the first power-on, that there’s enough randomness that the techniques used in [2]would not find any problems, but that might be not enough randomness to prevent our friends in Fort Meade from being able to brute force guess the possible public-private key pairs.

Speaking more generally, I’m a bit dubious about academic analysis which are primarily worried about recovering from the exposure of the state of the random pool. In practice, if the bad guy can grab the state of random pool, they probably have enough privileged access that they can do many more entertaining things, such as grabbing the user’s passphrase or their long-term private key. Trying to preserve the amount of entropy in the pool, and making sure that we can extract as much uncertainty from the system as possible, are much higher priority things to worry about.

That’s not to say that I might not make changes to /dev/random in reaction to academic analysis; I’ve made changes in reaction to [2], and I have changes queued for the next major kernel release up to make some changes to address concerns raised in [1]. However, protection against artificially constructed attacks is not the only thing which I am worried about. Things like making sure we have adequate entropy collection on all platforms, especially embedded ones, and adding some conservatism just in case SHA isn’t a perfect random function are some of the other things which I am trying to balance as we make changes to /dev/random.

T’so, who is the former CTO of the Linux Foundation, at least acknowledges the possibility that there is a real issue here.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. China Bashing is Grounded in Fear (That They Can Simply Do Better Than the West)

    The atmosphere of hate towards China — fuelled partly by a white supremacist in the White House — is unhelpful and insulting; dignity and understanding is the way to go



  2. IRC Proceedings: Tuesday, February 18, 2020

    IRC logs for Tuesday, February 18, 2020



  3. FFII Press Release: Germany Can No Longer Ratify the Unitary Patent Due to Brexit and the Established AETR Case-law, says FFII

    Germany cannot ratify the current Unitary Patent due to Brexit and the established AETR case-law. The ratification of the UPC (Unified Patent Court) by Germany would constitute a violation of the AETR case-law, which was used during the EPLA negotiations in 2006 to consider a deal with non-EU countries, such as Switzerland.



  4. DRM (Proprietary Software) Already Makes Mozilla Firefox Broken, Unreliable, Undependable (Dependent on Binary Blobs)

    More people are beginning to realise that Mozilla resorted to self-harming DRM and self-inflicted damage that impacts Firefox; can Mozilla (re)join the anti-DRM coalitions?



  5. EPO and Other Patent Updates Over RSS

    Site syndication (over RSS feeds or XML/Atom) is vastly better than what became popular in recent years (censored, centralised, discriminatory "Social Control Media"); here are some feeds of interest



  6. When It Comes to a Unitary Patent System, Bad (or Intentionally Dishonest) Legal Advice Has Become the Norm

    The Unified Patent Court and Unitary Patent (UPC and UP, respectively) reinforce the old saying about lawyers being liars, doing anything to attract clients (to take their money); the UPC is basically dead, but fiction, falsehoods and outrageous fantasies still find their way into Web sites of law firms



  7. Links 19/2/2020: KDE Plasma 5.18.1, GNOME 3.36 Beta 2 and WordPress 5.4 Beta 2

    Links for the day



  8. Is Linux Foundation a Microsoft Branch Now?

    The so-called ‘Linux’ Foundation (LF) nowadays helps Microsoft cement its monopoly — the very opposite of what ages ago it said the LF would do



  9. Are Songs Property? And Maths Also Property? Artificial Monopolies Are Not Property...

    Patent maximalists continue to face stronger arguments from their sceptics, who rightly allege that words are being intentionally misused and numbers fabricated so as to distort underlying facts



  10. Battistelli Blocked Techrights at EPO (Banned for More Than 5 Years), So CEIPI Won't Respect Access to Information Either

    The use of censorship to confront people who talk about (not even expose) corruption isn't novel; but the adoption of this approach in Europe (not just places like Russia and China) is definitely noteworthy



  11. IRC Proceedings: Monday, February 17, 2020

    IRC logs for Monday, February 17, 2020



  12. Links 18/2/2020: Linux 5.6 RC2, Wine 5.2, GNU Social Contract and Sparky 2020.02 Special Editions

    Links for the day



  13. IRC Proceedings: Sunday, February 16, 2020

    IRC logs for Sunday, February 16, 2020



  14. Links 16/2/2020: MX Linux 19.1 and MyPaint 2.0

    Links for the day



  15. IRC Proceedings: Saturday, February 15, 2020

    IRC logs for Saturday, February 15, 2020



  16. Guest Article: Au Revoir, GNU/Linux

    "Funny how OSI just ended up being another vehicle for their takeover of the computing world..."



  17. Former Microsoft Employee: ZDNet is Owned by Microsoft (and Others) in Some Senses

    A noteworthy message we've received from someone who knows Microsoft from the inside



  18. Links 15/2/2020: Blender 2.82, Qt 5.15 Alpha and NetBSD 9.0 Released

    Links for the day



  19. Microsoft Views 'Open Source' as a Zero-Cost Heist Opportunity (Making Proprietary Software/Spyware Using Other People's Free Labour)

    Making GPL-licensed (copyleft) software and hosting it outside Microsoft’s jaws is the best way to counter the abusive monopolist, which still says it “loves” what it is actually attacking



  20. Did Microsoft 'Buy' ZDNet?

    A look at what ZDNet tells its readers (screenshot from this morning) and a rare look at how its writers are censored/suppressed



  21. Anatomy of a Crime and Protection From Prosecution

    It’s hard to forget what António Campinos hides for his friend



  22. Today's EPO is a Fraud Managed by Frauds

    Beneath the scandals associated with systematic abuse against staff, union-busting (silencing whistleblowers) and en masse granting of invalid patents — the hallmark of grotesque maladministration — lie a bunch of even greater crimes



  23. IRC Proceedings: Friday, February 14, 2020

    IRC logs for Friday, February 14, 2020



  24. One Need Only Look at ZDNet's 'Linux' Section to Understand It's a Microsoft Propaganda Operation

    A timely new snapshot (or screenshot) that demonstrates what ZDNet became after hiring Microsoft employees as ‘journalists’ and censoring on behalf of Microsoft, defaming Free software figures and so on



  25. Links 14/2/2020: New Release of KStars, OpenSSH 8.2, Rhythmbox 3.4.4, Flatpak 1.6.2

    Links for the day



  26. The Uselessness of Social Control Media and Why We Need RSS Feeds' Resurgence More Than Ever

    Social control media became pure noise or misinformation, usually in pursuit of financial expansion alone, and it is also a censorship machine which discourages not falsehoods but unconventional thinking



  27. Another New 'Clown' for the UPC 'Circus'

    A former writer of IPPro Magazine (which seems to be defunct now) reports another shuffle -- perhaps the fifth in a few years -- of "IP" [sic] Minister for the UK; it doesn't bode well for the Unified Patent Court (UPC)



  28. IRC Proceedings: Thursday, February 13, 2020

    IRC logs for Thursday, February 13, 2020



  29. Links 13/2/2020: Ubuntu 18.04.4 LTS, Septor 2020, Endless OS 3.7.7, Wayland 1.18.0, KDE Plasma 5.18 and GTK 3.98 Released

    Links for the day



  30. The Microsoft Propaganda Model

    Classic new examples (real screenshots) of how Microsoft-funded media entraps people looking for information about "Linux" to actually push Microsoft talking points and marketing, cover-up, face-saving lies etc.


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts