Linux Proves Security of Open Source: First Back-Door Attempt Thwarted

Sunday, November 09 2003 @ 05:34 AM EST

Contributed by: J.F.

The Open Source method has been validated once more as a potentially catastrophic back door in the kernel was detected and removed before it could even reach the code stage. Linus says the incident "wasn't really bad at all."

In an article in The Register, it was disclosed that an unknown party attempted to bypass the normal submission procedures for Linux code in an attempt to get the back door incorporated into the kernel. Alert Linux coders quickly spotted the alterations and picked up on their hidden intent, despite the clever way they were coded to obfuscate their purpose, a classic example of why the open source method is so effective and so quick to spot and fix security problems:

"'Whoever did this knew what they were doing,' says Larry McVoy, founder of San Francisco-based BitMover, which hosts the Linux kernel development site that was compromised. 'They had to find some flags that could be passed to the system without causing an error, and yet are not normally passed together... There isn't any way that somebody could casually come in, not know about Unix, not know the Linux kernel code, and make this change. Not a chance.'

"However sophisticated, the hack fell apart Wednesday, when a routine file integrity check told McVoy that someone had manually changed a copy of a kernel source code file that's normally only modified by an automated process, specifically one that pulls the code from BitMover's BitKeeper software collaboration tool and repackages it for the open source CVS system still favored by some developers.

"Even then, McVoy didn't initially recognize the change as a backdoor, and he announced to the Linux kernel developers list as a procedural annoyance. Other programmers soon figured out the trick, and by Thursday an investigation into how the development site was compromised was underway, headed by Linux chief Linus Torvalds, according to McVoy."

More details here. How long have bugs and exploitable insecurities remained in Windows in the past before Microsoft even admitted there was a problem, much less fixed it? Proprietary companies may try to offer this incident as proof Linux and/or the open source method is not secure, but it is, in fact, proof of the opposite: an extremely subtle and sophisticated attempt to hijack the kernel was thwarted almost instantaneously, before any harm could be done, long before it reached the user.

Newsforge adds this:

"The code, if it had become part of the final kernel release, would have allowed a remote user to take control of machines running that Linux kernel version. Unauthorized code snippets, often called Easter Eggs, are common in closed-source programs but are relatively rare in the open source world. It's easy for developers to hide either humorous or malicious code in programs whose inner workings are hidden, but as this Linux kernel incident shows, the open source development process carries a degree of built-in immunity to this kind of problem."

An investigation into the source of the offending code is underway, headed by Linus Torvalds, according to this report by McVoy:

"Linus & Dave have tracked down the machine from which the break in happened, it was a University, that University has been contacted, is cooperating, and has discovered that a number of their machines have rootkits installed. So they are working backwards to try and track down where those breakins came from."

This is, according to McVoy, the first known malicious attempt to install a back door in Linux, probably because it is well-known that Linus reads every line of code personally before it is accepted into the kernel.

The unflappable Linus emailed Newsforge his take on the situation:

"It wasn't really bad at all - except of course in the sense that it's always a nasty surprise that somebody would try something like that. But on a scale from 'insignificant' to 'very very serious' I'd call the hack attempt 'interesting'.

"Inserting a back-door into a project CVS tree could be very serious in theory, and in that sense everything was done 'right' - the code was made to look innocuous, and the CVS history looked fairly sane. Successfully doing something like that into the core CVS tree would quite potentially be very hard to detect, and two lines of code out of five million is obviously not a sore thumb that sticks out.

"But the thing is, unlike a lot of other projects, Linux kernel development isn't actually done using a central CVS tree _at_all_. That CVS-tree was just an automatically generated read-only export for people who want to use CVS, and the back-door was never in any 'real' tree in that sense. The real trees aren't public, and never have been."