Backdoor
Encyclopedia
A backdoor in a computer
system (or cryptosystem
or algorithm
) is a method of bypassing normal authentication
, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice
) or may subvert the system through a rootkit
.
here clearly coincides with more recent definitions of a backdoor. However, since the advent of public key cryptography the term trapdoor has acquired a different meaning
. More generally, such security breaches were discussed at length in a RAND Corporation task force report published under ARPA
sponsorship by J.P. Anderson and D.J. Edwards in 1970.
A backdoor in a login system might take the form of a hard code
d user and password combination which gives access to the system. A famous example of this sort of backdoor was used as a plot device in the 1983
film WarGames
, in which the architect of the "WOPR
" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode and direct interaction with the artificial intelligence
).
An attempt to plant a backdoor in the Linux kernel
, exposed in November 2003, showed how subtle such a code change can be. In this case, a two-line change appeared to be a typographical error, but actually gave the caller to the sys_wait4 function root access
to the system.
Although the number of backdoors in systems using proprietary software
(software whose source code
is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission.
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler
so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).
Many computer worm
s, such as Sobig and Mydoom (and the covert Skynet), install a backdoor on the affected computer (generally a PC
on broadband
running insecure versions of Microsoft Windows
and Microsoft Outlook
). Such backdoors appear to be installed so that spammers
can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM
measures — and, in that case, as data gathering agents
, since both surreptitious programs they installed routinely contacted central servers.
A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering
, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks have been termed kleptography
; they can be carried out in software, hardware (for example, smartcards), or a combination of the two. The theory of asymmetric backdoors is part of a larger field now called cryptovirology
.
There exists an experimental asymmetric backdoor in RSA key generation. This OpenSSL RSA backdoor was designed by Young and Yung, utilizes a twisted pair of elliptic curves, and has been made available.
's Reflections on Trusting Trust was the first major paper to describe black box backdoor issues, and points out that trust is relative. It described a very clever backdoor mechanism based upon the fact that people only review source (human-written) code, and not compiled machine code
. A program called a compiler
is used to create the second from the first, and the compiler is usually trusted to do an honest job.
Thompson's paper described a modified version of the Unix
C
compiler that would:
Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept
implementation, the subverted compiler also subverted the analysis program (the disassembler
), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was, officially, never released into the wild. It is believed, however, that a version was distributed to BBN
and at least one use of the backdoor was recorded.
This attack was recently (August 2009) discovered by Sophos labs: The W32/Induc-A virus infected the program compiler for Delphi, a Windows programming language. The virus introduced its own code to the compilation of new Delphi programs, allowing it to infect and propagate to many systems, without the knowledge of the software programmer. An attack that propagates by building its own Trojan horse
can be especially hard to discover. It is believed that the Induc-A virus had been propagating for at least a year before it was discovered.
Once a system has been compromised with a backdoor or Trojan horse
, such as the Trusting Trust compiler, it is very hard for the "rightful" user to regain control of the system. However, several practical weaknesses in the Trusting Trust scheme have been suggested. For example, a sufficiently motivated user could painstakingly review the machine code of the untrusted compiler before using it. As mentioned above, there are ways to hide the Trojan horse, such as subverting the disassembler; but there are ways to counter that defense, too, such as writing your own disassembler from scratch, so the infected compiler won't recognize it. However, such proposals are generally impractical. If a user had a serious concern that the compiler was compromised, they would be better off avoiding using it altogether rather than reviewing the binary in detail using only tools that have been verified to be untainted. A user that did not have serious concerns that the compiler was compromised could not be practically expected to undertake the vast amount of work required.
David A. Wheeler
has proposed a counter to this attack using an approach he calls "diverse double-compiling", which uses techniques adapted from compiler bootstrapping. This involves re-compiling the source of the compiler through another independently-written and generated "trusted" compiler, and then using the binary generated from this to recompile the original compiler again, and then comparing the binary generated from this second compilation with that generated from using the original compiler to recompile itself directly.
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
system (or cryptosystem
Cryptosystem
There are two different meanings of the word cryptosystem. One is used by the cryptographic community, while the other is the meaning understood by the public.- General meaning :...
or algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...
) is a method of bypassing normal authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice
Back Orifice
Back Orifice is a controversial computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a word play on Microsoft BackOffice Server software.Back Orifice was designed with...
) or may subvert the system through a rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
.
Overview
The threat of backdoors which surfaced when multiuser and networked operating systems became widely adopted. Petersen and Turn discussed computer subversion in a paper published in the proceedings of the 1967 AFIPS Conference. They noted a class of active infiltration attacks that use "trapdoor" entry points into the system to bypass security facilities and permit direct access to data. The use of the word trapdoorTrapdoor (disambiguation)
A trapdoor is a door set into a floor or ceiling.Trapdoor or Trap Door may also refer to:* Trap Door , a science fiction fanzine* The Trap Door, a British animated TV series...
here clearly coincides with more recent definitions of a backdoor. However, since the advent of public key cryptography the term trapdoor has acquired a different meaning
Trapdoor function
A trapdoor function is a function that is easy to compute in one direction, yet believed to be difficult to compute in the opposite direction without special information, called the "trapdoor"...
. More generally, such security breaches were discussed at length in a RAND Corporation task force report published under ARPA
ARPA
Arpa and ARPA may refer to:Arpa* Arpa River in Armenia* Areni, Armenia - formerly called Arpa* Arpi, Armenia, also called Arpa* Turkish for Akhurian River in Turkey and Armenia* Italian for harp, sometimes used in scoresARPA...
sponsorship by J.P. Anderson and D.J. Edwards in 1970.
A backdoor in a login system might take the form of a hard code
Hard code
Hard coding refers to the software development practice of embedding what may, perhaps only in retrospect, be regarded as input or configuration data directly into the source code of a program or other executable object, or fixed formatting of the data, instead of obtaining that data from external...
d user and password combination which gives access to the system. A famous example of this sort of backdoor was used as a plot device in the 1983
1983 in film
-Events:*February 11 - The Rolling Stones concert film Let's Spend the Night Together opens in New York*May 25 - Star Wars Episode VI: Return of the Jedi, the final film in the original Star Wars trilogy, is released. Like the previous films, it goes on to become the top grossing picture of...
film WarGames
WarGames
WarGames is a 1983 American Cold War suspense/science-fiction film written by Lawrence Lasker and Walter F. Parkes and directed by John Badham. The film stars Matthew Broderick and Ally Sheedy....
, in which the architect of the "WOPR
WOPR
WOPR is a fictional military supercomputer featured in the movie WarGames and its sequel. It is an acronym for War Operation Plan Response. Director John Badham invented the name "WOPR" when he thought the NORAD SIOP was "boring, and told you nothing"...
" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode and direct interaction with the artificial intelligence
Artificial intelligence
Artificial intelligence is the intelligence of machines and the branch of computer science that aims to create it. AI textbooks define the field as "the study and design of intelligent agents" where an intelligent agent is a system that perceives its environment and takes actions that maximize its...
).
An attempt to plant a backdoor in the Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
, exposed in November 2003, showed how subtle such a code change can be. In this case, a two-line change appeared to be a typographical error, but actually gave the caller to the sys_wait4 function root access
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
to the system.
Although the number of backdoors in systems using proprietary software
Proprietary software
Proprietary software is computer software licensed under exclusive legal right of the copyright holder. The licensee is given the right to use the software under certain conditions, while restricted from other uses, such as modification, further distribution, or reverse engineering.Complementary...
(software whose source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission.
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler
Compiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).
Many computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s, such as Sobig and Mydoom (and the covert Skynet), install a backdoor on the affected computer (generally a PC
IBM PC compatible
IBM PC compatible computers are those generally similar to the original IBM PC, XT, and AT. Such computers used to be referred to as PC clones, or IBM clones since they almost exactly duplicated all the significant features of the PC architecture, facilitated by various manufacturers' ability to...
on broadband
Broadband
The term broadband refers to a telecommunications signal or device of greater bandwidth, in some sense, than another standard or usual signal or device . Different criteria for "broad" have been applied in different contexts and at different times...
running insecure versions of Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
and Microsoft Outlook
Microsoft Outlook
Microsoft Outlook is a personal information manager from Microsoft, available both as a separate application as well as a part of the Microsoft Office suite...
). Such backdoors appear to be installed so that spammers
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM
Digital rights management
Digital rights management is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale. DRM is any technology that inhibits uses of digital content that...
measures — and, in that case, as data gathering agents
Software agent
In computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf...
, since both surreptitious programs they installed routinely contacted central servers.
A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering
Reverse engineering
Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks have been termed kleptography
Kleptography
Kleptography is the study of stealing information securely and subliminally. Kleptography is a subfield of cryptography and cryptovirology, and is a natural extension of the theory of subliminal channels that was pioneered by Gus Simmons...
; they can be carried out in software, hardware (for example, smartcards), or a combination of the two. The theory of asymmetric backdoors is part of a larger field now called cryptovirology
Cryptovirology
Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees...
.
There exists an experimental asymmetric backdoor in RSA key generation. This OpenSSL RSA backdoor was designed by Young and Yung, utilizes a twisted pair of elliptic curves, and has been made available.
Reflections on Trusting Trust
Ken ThompsonKen Thompson
Kenneth Lane Thompson , commonly referred to as ken in hacker circles, is an American pioneer of computer science...
's Reflections on Trusting Trust was the first major paper to describe black box backdoor issues, and points out that trust is relative. It described a very clever backdoor mechanism based upon the fact that people only review source (human-written) code, and not compiled machine code
Machine code
Machine code or machine language is a system of impartible instructions executed directly by a computer's central processing unit. Each instruction performs a very specific task, typically either an operation on a unit of data Machine code or machine language is a system of impartible instructions...
. A program called a compiler
Compiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
is used to create the second from the first, and the compiler is usually trusted to do an honest job.
Thompson's paper described a modified version of the Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
compiler that would:
- Put an invisible backdoor in the Unix loginLogging (computer security)In computer security, a login or logon is the process by which individual access to a computer system is controlled by identifying and authentifying the user referring to credentials presented by the user.A user can log in to a system to obtain access and can then log out or log off In computer...
command when it noticed that the login program was being compiled, and as a twist - Also add this feature undetectably to future compiler versions upon their compilation as well.
Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept
Proof of concept
A proof of concept or a proof of principle is a realization of a certain method or idea to demonstrate its feasibility, or a demonstration in principle, whose purpose is to verify that some concept or theory that has the potential of being used...
implementation, the subverted compiler also subverted the analysis program (the disassembler
Disassembler
A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language...
), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was, officially, never released into the wild. It is believed, however, that a version was distributed to BBN
BBN Technologies
BBN Technologies is a high-technology company which provides research and development services. BBN is based next to Fresh Pond in Cambridge, Massachusetts, USA...
and at least one use of the backdoor was recorded.
This attack was recently (August 2009) discovered by Sophos labs: The W32/Induc-A virus infected the program compiler for Delphi, a Windows programming language. The virus introduced its own code to the compilation of new Delphi programs, allowing it to infect and propagate to many systems, without the knowledge of the software programmer. An attack that propagates by building its own Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
can be especially hard to discover. It is believed that the Induc-A virus had been propagating for at least a year before it was discovered.
Once a system has been compromised with a backdoor or Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
, such as the Trusting Trust compiler, it is very hard for the "rightful" user to regain control of the system. However, several practical weaknesses in the Trusting Trust scheme have been suggested. For example, a sufficiently motivated user could painstakingly review the machine code of the untrusted compiler before using it. As mentioned above, there are ways to hide the Trojan horse, such as subverting the disassembler; but there are ways to counter that defense, too, such as writing your own disassembler from scratch, so the infected compiler won't recognize it. However, such proposals are generally impractical. If a user had a serious concern that the compiler was compromised, they would be better off avoiding using it altogether rather than reviewing the binary in detail using only tools that have been verified to be untainted. A user that did not have serious concerns that the compiler was compromised could not be practically expected to undertake the vast amount of work required.
David A. Wheeler
David A. Wheeler
David A. Wheeler is a computer scientist. He is best known for his work on Open source software/Free-libre software and Computer security.-Open Source Software:...
has proposed a counter to this attack using an approach he calls "diverse double-compiling", which uses techniques adapted from compiler bootstrapping. This involves re-compiling the source of the compiler through another independently-written and generated "trusted" compiler, and then using the binary generated from this to recompile the original compiler again, and then comparing the binary generated from this second compilation with that generated from using the original compiler to recompile itself directly.
External links
- Three Archaic Backdoor Trojan Programs That Still Serve Great Pranks
- Backdoors removal — List of backdoors and their removal instructions.
- FAQ Farm's Backdoors FAQ: wiki question and answer forum
- List of backdoors and Removal