Torvalds On Being Asked to Insert a U.S. Government Back Door Into Linux Kernel
Sep 19 2013
Torvalds was also asked if he had ever been approached by the U.S. government to insert a backdoor into Linux.
Torvalds responded “no” while shaking his head “yes,” as the audience broke into spontaneous laughter.
So given Torvalds response to the backdoor question, take a look at this item from 2003:
Thwarted Linux backdoor hints at smarter hacks
By Kevin Poulsen, SecurityFocus
Software developers on Wednesday detected and thwarted a hacker’s scheme to submerge a slick backdoor in the next version of the Linux kernel, but security experts say the abortive caper proves that extremely subtle source code tampering is more than just the stuff of paranoid speculation.
The backdoor was a two-line addition to a development copy of the Linux kernel’s source code, carefully crafted to look like a harmless error-checking feature added to the wait4() system call — a function that’s available to any program running on the computer, and which, roughly, tells the operating system to pause execution of that program until another program has finished its work.
Under casual inspection, the code appears to check if a program calling wait4() is using a particular invalid combination of two flags, and if the user invoking it is the computer’s all-powerful root account. If both conditions are true, it aborts the call.
But up close, the code doesn’t actually check if the user is root at all. If it sees the flags, it grants the process root privileges, turning wait4() into an instant doorway to complete control of any machine, if the hacker knows the right combinations of flags.
That difference between what the code looks like and what it actually is — that is, between assignment and comparison — is a matter of a single equal sign in the C programming language, making it easy to overlook. If the addition had been detected in a normal code review, the backdoor could even have been mistaken for a programming error — no different from the buffer overflows that wind up in Microsoft products on a routine basis. “It’s indistinguishable from an accidental bug,” says security consultant Ryan Russell. “So unless you have a reason to be suspicious, and go back and find out if it was legitimately checked in, that’s going to be a long trail to follow.”
In all, the unknown hacker used exactly the sort of misdirection and semantic trickery that security professionals talk about over beer after a conference, while opining on how clumsy the few discovered source code backdoors have been, and how a real cyber warrior would write one.