BACKDOOR
BACKDOOR
A backdoor is a method, often secret, of
bypassing normal authentication or encryption in a computer system,
a product, or an embedded device (e.g. a home router), or its embodiment, e.g. as part
of a cryptosystem, an algorithm, a chipset, or a "homunculus computer" (such
as that as found in Intel's AMT
technology). Backdoors are often used for securing remote access to
a computer, or obtaining access to plaintext in cryptographic systems.
A backdoor may take the form of a hidden part of a program one
uses, a
separate program (e.g. Back Orifice may
subvert the system through a rootkit), or code in the firmware of ones hardware or
parts of ones operating system such as Microsoft Windows. Although
normally surreptitiously installed, in some cases backdoors are deliberate and
widely known. These kinds of backdoors might have "legitimate" uses
such as providing the manufacturer with a way to restore user passwords.
Default passwords (or other default credentials) can
function as backdoors if they are not changed by the user. Some debugging features
can also act as backdoors if they are not removed in the release version.
In 1993 the United States government attempted to deploy an
encryption system, the Clipper chip, with an explicit backdoor for
law enforcement and national security access. The chip was unsuccessful internationally
and in business.
The threat of backdoors surfaced when multiuser and networked
operating systems became widely adopted. Petersen and Turn discussed computer
subversion in a paper published in the proceedings of the 1967 AFIPS
Conference. They
noted a class of active infiltration attacks that use "trapdoor"
entry points into the system to bypass security facilities and permit direct
access to data. The use of the word trapdoor here clearly coincides with more
recent definitions of a backdoor. However, since the advent of public key
cryptography the term trapdoor has acquired a different meaning (see trapdoor function), and thus the term
"backdoor" is now preferred. More generally, such security breaches
were discussed at length in a RAND Corporation task force report published under ARPA sponsorship by J.P. Anderson and D.J.
Edwards in 1970.
A backdoor in a login system might take the form of a hard coded user
and password combination which gives access to the system. An example of this
sort of backdoor was used as a plot device in the 1983 film WarGames, in which the architect of the
"WOPR" computer system had inserted a
hardcoded password (his dead son's name) which gave the user access to the
system, and to undocumented parts of the system (in particular, a video
game-like simulation mode and direct interaction with the artificial
intelligence).
Although the number of backdoors in systems using proprietary software (software whose source code is
not publicly available) is not widely credited, they are nevertheless
frequently exposed. Programmers have even succeeded in secretly installing
large amounts of benign code as Easter eggs in programs, although such cases may
involve official forbearance, if not actual permission.
Examples
Emilia Attack
Many computer worms,
such as Sobig and Mydoom,
install a backdoor on the affected computer (generally a PC on broadband running Microsoft
Windows and Microsoft
Outlook). Such backdoors appear to be installed so that spammers can
send junk e-mail from the infected machines. Others,
such as the Sony/BMG rootkit, placed
secretly on millions of music CDs through late 2005, are intended as DRM measures—and, in that case, as
data-gathering agents, since both surreptitious programs they
installed routinely contacted central servers.
In January 2014, a backdoor was
discovered in certain Samsung Android products,
like the Galaxy devices. The Samsung proprietary Android versions are fitted
with a backdoor that provides remote access to the data stored on the device.
In particular, the Samsung Android software that is in charge of handling the
communications with the modem, using the Samsung IPC protocol, implements a
class of requests known as remote file server (RFS) commands, that allows the
backdoor operator to perform via modem remote I/O operations on the device hard
disk or other storage. As the modem is running Samsung proprietary Android
software, it is likely that it offers over-the-air remote control that could
then be used to issue the RFS commands and thus to access the file system on
the device
Object code backdoors
Harder to detect backdoors involve modifying object code, rather
than source code – object code is much harder to inspect, as it is designed to
be machine-readable, not human-readable. These backdoors can be inserted either
directly in the on-disk object code, or inserted at some point during
compilation, assembly linking, or loading – in the latter case the backdoor
never appears on disk, only in memory. Object code backdoors are difficult to
detect by inspection of the object code, but are easily detected by simply
checking for changes (differences), notably in length or in checksum, and in
some cases can be detected or analyzed by disassembling the object code.
Further, object code backdoors can be removed (assuming source code is
available) by simply recompiling from source.
Thus for such backdoors to avoid detection, all extant copies of
a binary must be subverted, and any validation checksums must also be
compromised, and source must be unavailable, to prevent recompilation.
Alternatively, these other tools (length checks, diff, checksumming,
disassemblers) can themselves be compromised to conceal the backdoor, for
example detecting that the subverted binary is being checksummed and returning
the expected value, not the actual value. To conceal these further subversions,
the tools must also conceal the changes in themselves – for example, a
subverted checksummer must also detect if it is checksumming itself (or other
subverted tools) and return false values. This leads to extensive changes in
the system and tools being needed to conceal a single change.
Because object code can be regenerated by recompiling
(reassembling, relinking) the original source code, making a persistent object
code backdoor (without modifying source code) requires subverting the compiler itself – so that when it detects that it is compiling the
program under attack it inserts the backdoor – or alternatively the assembler,
linker, or loader. As this requires subverting the compiler, this in turn can
be fixed by recompiling the compiler, removing the backdoor insertion code.
This defense can in turn be subverted by putting a source meta-backdoor in the
compiler, so that when it detects that it is compiling itself it then inserts
this meta-backdoor generator, together with the original backdoor generator for
the original program under attack. After this is done, the source meta-backdoor
can be removed, and the compiler recompiled from original source with the
compromised compiler executable: the backdoor has been bootstrapped. This attack
dates to Karger & Schell (1974), and was
popularized in Thompson's 1984 article, entitled "Reflections on Trusting
Trust"; it is hence colloquially known as the "Trusting Trust"
attack. See compiler backdoors, below, for details.
Analogous attacks can target lower levels of the system, such as the operating
system, and can be inserted during the system booting process; these are also mentioned in Karger & Schell (1974), and now exist in
the form of boot sector viruses.
Asymmetric backdoors
A traditional backdoor is a symmetric backdoor: anyone that
finds the backdoor can in turn use it. The notion of an asymmetric backdoor was
introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be
used by the attacker who plants it, even if the full implementation of the
backdoor becomes public (e.g., via publishing, being discovered and disclosed
by reverse engineering,
etc.). Also, it is computationally intractable to detect the presence of an
asymmetric backdoor under black-box queries. This class of attacks have been
termed kleptography; they
can be carried out in software, hardware (for example, smartcards), or a
combination of the two. The theory of asymmetric backdoors is part of a larger
field now called cryptovirology. Notably, NSA inserted a kleptographic backdoor into theDual_EC_DRBG standard.
There exists an experimental asymmetric backdoor in RSA key
generation. This OpenSSL RSA backdoor was designed by Young and Yung, utilizes
a twisted pair of elliptic curves, and has been made available.
Compiler backdoors
A sophisticated form
of black box backdoor
is a compiler backdoor, where not only is a compiler subverted (to
insert a backdoor in some other program, such as a login program), but it is
further modified to detect when it is compiling itself and then inserts both
the backdoor insertion code (targeting the other program) and the code
modifying self-compilation, like the mechanism how retroviruses infect
their host. This can be done by modifying the source code, and the resulting
compromised compiler (object code) can compile the original (unmodified) source
code and insert itself: the exploit has been boot-strapped.
This attack was
originally presented in Karger &
Schell (1974, p. 52, section 3.4.5: "Trap Door Insertion"),
which was a United States Air Force security
analysis of Multics,
where they described such an attack on a PL/I compiler, and
call it a "compiler trap door"; they also mention a variant where the
system initialization code is modified to insert a backdoor during booting,
as this is complex and poorly understood, and call it an "initialization
trapdoor"; this is now known as a boot sector
virus.
This attack was then
actually implemented and popularized by Ken Thompson,
in his Turing Award acceptance speech in 1983
(published 1984), "Reflections on Trusting Trust", which
points out that trust is relative, and the only software one can truly trust is
code where every step of the bootstrapping has been inspected. This backdoor
mechanism is based on the fact that people only review source (human-written)
code, and not compiled machine code (object code).
A program called
a compiler is
used to create the second from the first, and the compiler is usually trusted
to do an honest job.
Thompson's paper
describes a modified version of the Unix C compiler that would:
·
Put an invisible backdoor
in the Unix login command when it noticed that
the login program was being compiled, and as a twist
·
Also add this feature
undetectably to future compiler versions upon their compilation as well.
Because the compiler
itself was a compiled program, users would be extremely unlikely to notice the
machine code instructions that performed these tasks. (Because of the second
task, the compiler's source code would appear "clean".) What's worse,
in Thompson's proof of concept implementation, the
subverted compiler also subverted the analysis program (the disassembler),
so that anyone who examined the binaries in the usual way would not actually
see the real code that was running, but something else instead.
An updated analysis of
the original exploit is given in Karger &
Schell (2002, Section 3.2.4: Compiler trap doors), and a historical
overview and survey of the literature is given inWheeler
Occurrences
Thompson's version was, officially, never released into the
wild. It is believed, however, that a version was distributed to BBN and at least one use of the backdoor was recorded. There are scattered anecdotal reports of such backdoors in
subsequent years.
This attack was recently (August 2009) discovered by Sophos
labs: The W32/Induc-A virus infected the program compiler for Delphi,
a Windows programming language. The virus introduced its own code to the
compilation of new Delphi programs, allowing it to infect and propagate to many
systems, without the knowledge of the software programmer. An attack that
propagates by building its own Trojan horse can be especially hard to discover. It is believed that the
Induc-A virus had been propagating for at least a year before it was
discovered.
Countermeasures
Once a system has been compromised with a backdoor or Trojan
horse, such as the Trusting Trust compiler, it is very hard for the
"rightful" user to regain control of the system – typically one
should rebuild a clean system and transfer data (but not executables) over.
However, several practical weaknesses in the Trusting Trust scheme have been suggested. For example, a sufficiently
motivated user could painstakingly review the machine code of the untrusted
compiler before using it. As mentioned above, there are ways to hide the Trojan
horse, such as subverting the disassembler; but there are ways to counter that
defense, too, such as writing your own disassembler from scratch.
A generic method to counter trusting trust attacks is called
Diverse Double-Compiling (DDC). The method requires a different compiler and
the source code of the compiler-under-test. That source, compiled with both
compilers, results in two different stage-1 compilers, which however should
have the same behavior. Thus the same source compiled with both stage-1
compilers must then result in two identical stage-2 compilers. A formal proof
is given that the latter comparison guarantees that the purported source code
and executable of the compiler-under-test correspond, under some assumptions.
This method was applied by its author to verify that the C compiler of the GCC suite (v. 3.0.4) contained no trojan, using icc (v. 11.0) as the different compiler.
In practice such verifications are not done by end users, except
in extreme circumstances of intrusion detection and analysis, due to the rarity
of such sophisticated attacks, and because programs are typically distributed
in binary form. Removing backdoors (including compiler backdoors) is typically
done by simply rebuilding a clean system. However, the sophisticated
verifications are of interest to operating system vendors, to ensure that they
are not distributing a compromised system, and in high-security settings, where
such attacks are a realistic concern.
List of known backdoors
·
Back Orifice was created in 1998 by hackers from Cult of the Dead Cow group as a remote administration tool.
It allowed Windows computers
to be remotely controlled over a network and exploited the name similarity with
Microsoft BackOffice.
·
The Dual_EC_DRBG cryptographically secure pseudorandom number generator was revealed in 2013 to possibly have
a kleptographic backdoor deliberately inserted by NSA,
who also had the private key to the backdoor.
·
Several backdoors in the unlicensed copies of WordPress plug-ins were discovered in March 2014. They
were inserted as obfuscated JavaScript code
and silently created, for example, an admin account in the website database. A
similar scheme was later exposed in the Joomla plugin.
·
Borland Interbase versions
4.0 through 6.0 had a hard-coded backdoor, put there by the developers. The
server code contains a compiled-in backdoor account (username:politically, password: correct),
which could be accessed over a network connection, and once a user logged in
with it, he could take full control over all Interbase databases. The backdoor
was detected in 2001 and a patch was
released.
·
Juniper Networks backdoor inserted in the year 2008
into the versions of firmware ScreenOS from 6.2.0r15 to 6.2.0r18 and from
6.3.0r12 to 6.3.0r20 that
gives any user administrative access when using a special master password.
No comments