||This article's tone or style may not reflect the encyclopedic tone used on Wikipedia. (December 2010)|
A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing illegal remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. Industry experts have intimated that zero-day attacks may fetch prodigious sums from governmental agencies. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit. Zetter presents an accessible history of the form.
The threat of backdoors surfaced when multiuser and networked operating systems became widely adopted. Petersen and Turn discussed computer subversion in a paper published in the proceedings of the 1967 AFIPS Conference. They noted a class of active infiltration attacks that use "trapdoor" entry points into the system to bypass security facilities and permit direct access to data. The use of the word trapdoor here clearly coincides with more recent definitions of a backdoor. However, since the advent of public key cryptography the term trapdoor has acquired a different meaning. More generally, such security breaches were discussed at length in a RAND Corporation task force report published under ARPA sponsorship by J.P. Anderson and D.J. Edwards in 1970.
A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. A famous example of this sort of backdoor was used as a plot device in the 1983 film WarGames, in which the architect of the "WOPR" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game-like simulation mode and direct interaction with the artificial intelligence).
An attempt to plant a backdoor in the Linux kernel, exposed in November 2003, showed how subtle such a code change can be. In this case, a two-line change appeared to be a typographical error, but actually gave the caller to the sys_wait4 function root access to the system.
Although the number of backdoors in systems using proprietary software (software whose source code is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission.
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).
Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer (generally a PC on broadband running Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM measures—and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers.
A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks have been termed kleptography; they can be carried out in software, hardware (for example, smartcards), or a combination of the two. The theory of asymmetric backdoors is part of a larger field now called cryptovirology. Notably, NSA inserted a kleptographic backdoor into the Dual_EC_DRBG standard.
There exists an experimental asymmetric backdoor in RSA key generation. This OpenSSL RSA backdoor was designed by Young and Yung, utilizes a twisted pair of elliptic curves, and has been made available.
In late February 2014, Apple elliptically notified users of their OS of the "goto fail" backdoor that was caused by an error. This error voids the SSL authentication process, and exposes the user to a Man-in-the-middle attack. The "goto fail" bug is nicely diff-listed by Arthur in the Guardian expose.
A vulnerability in the Apple iOS product prompted the police detectives in the murder trial of Oscar Pistorius to enlist the aid of the manufacturer in decrypting the contents of communications sent by him on his iPhone around the time of the death on Valentine's Day 2013 of Reeva Steenkamp.
In early March 2014, Red Hat notified users of the GnuTLS libary of the "goto cleanup" backdoor, which is diff-listed by its discoverer Mavrogiannopoulos. This bug voids the SSL authentication process, and has exposed users since 2005 of the Red Hat, Ubuntu and Debian (among 200 plus others) Linux OS to a Man-in-the-middle attack. The similarity between the Apple "goto fail" bug and the Linux "goto cleanup" bug has not gone unnoticed, as is plain to readers of the Arthur and Mavrogiannopoulos bugs. The security notice for this bug in the Debian flavour of the Linux OS is available.
List of known backdoors in standards
- the MD2 algorithm was found in the 1996 announcement of RFC6149 to have a backdoor
- Ron Rivest's MD4 hash was found in the 2011 announcement of RFC6150 to have a backdoor
- Rivest's MD5 hash was shown to have several weaknesses in 1996 by Hans Dobbertin
- SHA-0 (aka FIPS-180) was withdrawn after CRYPTO '98
- SHA-1 (aka FIPS-180-1) was shown to be attackable in 2005 by Eli Biham and co-authors, as well as Vincent Rijmen and Elisabeth Oswald
- The Dual_EC_DRBG cryptographically secure pseudorandom number generator was revealed in 2013 to have a kleptographic backdoor deliberately inserted by NSA, who also had the private key to the backdoor.
Reflections on Trusting Trust
Ken Thompson's Reflections on Trusting Trust, his Turing Award acceptance speech in 1984, was the first major paper to describe black box backdoor issues, and points out that trust is relative. It describes a backdoor mechanism based on the fact that people only review source (human-written) code, and not compiled machine code. A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job.
- Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, and as a twist
- Also add this feature undetectably to future compiler versions upon their compilation as well.
Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was, officially, never released into the wild. It is believed, however, that a version was distributed to BBN and at least one use of the backdoor was recorded.
This attack was recently (August 2009) discovered by Sophos labs: The W32/Induc-A virus infected the program compiler for Delphi, a Windows programming language. The virus introduced its own code to the compilation of new Delphi programs, allowing it to infect and propagate to many systems, without the knowledge of the software programmer. An attack that propagates by building its own Trojan horse can be especially hard to discover. It is believed that the Induc-A virus had been propagating for at least a year before it was discovered.
Once a system has been compromised with a backdoor or Trojan horse, such as the Trusting Trust compiler, it is very hard for the "rightful" user to regain control of the system. However, several practical weaknesses in the Trusting Trust scheme have been suggested. For example, a sufficiently motivated user could painstakingly review the machine code of the untrusted compiler before using it. As mentioned above, there are ways to hide the Trojan horse, such as subverting the disassembler; but there are ways to counter that defense, too, such as writing your own disassembler from scratch. A generic method to counter trusting trust attacks is called Diverse Double-Compiling (DDC). The method requires a different compiler and the source code of the compiler-under-test. That source, compiled with both compilers, results in two different stage-1 compilers; the same source compiled with both stage-1 compilers must then result in two identical stage-2 compilers. A formal proof is given that the latter comparison guarantees that the purported source code and executable of the compiler-under-test correspond, under some assumptions. This method was applied by its author to verify that the C compiler of the GCC suite (v. 3.0.4) contained no trojan, using icc (v. 11.0) as the different compiler. Such verifications are generally difficult and impractical. If a user had a serious concern that the compiler was compromised, they would be better off avoiding using it altogether, along with all the executables compiled with it, rather than carrying out a thorough verification of the binary. A user that did not have serious concerns that the compiler was compromised could not be practically expected to undertake the vast amount of work required.
- grahamcluely.com: "Zero-day exploit in Apple’s iOS operating system “sold for $500,000″" 15 Jul 2013
- nytimes.com: "Nations Buying as Hackers Sell Flaws in Computer Code" (Perlroth et al) 13 Jul 2013
- fastcompany.com: "How Spies, Hackers, And the Government Bolster A Booming Software Exploit Market" 1 May 2013
- "Cyberwar’s Gray Market" (Gallagher) 16 Jan 2013
- wired.com: "How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA" (Zetter) 24 Sep 2013
- H.E. Petersen, R. Turn. "System Implications of Information Privacy". Proceedings of the AFIPS Spring Joint Computer Conference, vol. 30, pages 291–300. AFIPS Press: 1967.
- Security Controls for Computer Systems, Technical Report R-609, WH Ware, ed, Feb 1970, RAND Corp.
- Larry McVoy (November 5, 2003) Linux-Kernel Archive: Re: BK2CVS problem. ussg.iu.edu
- Thwarted Linux backdoor hints at smarter hacks; Kevin Poulsen; SecurityFocus, 6 November 2003.
- G+M: "The strange connection between the NSA and an Ontario tech firm" 20 Jan 2014
- cryptovirology.com page on OpenSSL RSA backdoor
- macworld.com: "What you need to know about Apple's SSL bug" 24 Feb 2014
- theregister.co.uk: "Update your Mac NOW: Apple fixes OS X 'goto fail' SSL spying vuln" 25 Feb 2014
- theguardian.co.uk: "Apple's SSL iPhone vulnerability: how did it happen, and what next?" (Arthur) 25 Feb 2014
- telegraph.co.uk: "Oscar Pistorius: police fly to Apple HQ in California to access deleted phone messages" 27 Feb 2014
- globeandmail.com: "Toronto police obtain new warrant in Ford investigation " 7 Mar 2014
- Red Hat Customer Portal: "Important: gnutls security update" 3 Mar 2014
- gitorious.org: "corrected return codes" (Mavrogiannopoulos) 3 Mar 2014
- Ars Technica: "Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping" 4 Mar 2014
- debian.org: "Debian Security Advisory: DSA-2869-1 gnutls26 -- incorrect certificate verification" 3 Mar 2014
- Gary Kessler, "An Overview of Cryptography", sec 3.3
- [Biham et al, LNCS3494 pp.36-57: "Advances in Cryptology - EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005"]
- nytimes.com: "N.S.A. Able to Foil Basic Safeguards of Privacy on Web" (Perlroth et al) 5 Sep 2013
- Thompson, Ken (August 1984), "Reflections on Trusting Trust", Communications of the ACM 27 (8): 761–763
- Jargon File entry for “backdoor” at catb.org, describes Thompson compiler hack
- Compile-a-virus — W32/Induc-A Sophos labs on the discovery of the Induc-A virus
- David A. Wheeler (7 December 2009). "Fully Countering Trusting Trust through Diverse Double-Compiling". Retrieved 19 December 2013.
- Three Archaic Backdoor Trojan Programs That Still Serve Great Pranks
- Backdoors removal — List of backdoors and their removal instructions.
- FAQ Farm's Backdoors FAQ: wiki question and answer forum
- List of backdoors and Removal
- David A. Wheeler’s Page on "Fully Countering Trusting Trust through Diverse Double-Compiling"—Author's 2009 Ph.D. thesis at George Mason University