26

To clarify immediately, I'm not interested in writing a backdoor. I have no interest in submitting backdoor changelists to projects myself.

I'm researching some source modeling techniques, and we're interested in seeing if exploits or malicious code can be identified. We're using git and subversion histories to examine how a model snapshot captures relationships between the code. There is a question about whether certain types of code appear as outliers in an environment like this.

With that in mind, I'm having a hard time finding instances of a git/cvs/? open source repository with an example of a changelist that contained a backdoor, and was submitted and will show up in the logs.

We were looking at proftpd as an early example, but this exploit wasn't checked in but rather modified other versions of the code.

Are there examples in the revision history of an open source project of attempts to insert backdoor code?

Note: I submitted this to StackOverflow a while ago, but it was closed. I'm revisiting this now, and the recommendation was to ask here. Thanks!

swrittenb
  • 361
  • 3
  • 5

4 Answers4

17

Some notes about an attempt to get a backdoor into the Linux kernel, circa 2003. Apparently unsuccessful. The contemporary commentary was fairly interesting.

The linux kernel distribution machines got compromised again in 2011, but it seems like no code got changed that time.

UPDATE: Looks like a sourceforge mirror had a version of phpMyAdmin with a built-in backdoor.

Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26
10

There was a backdoor in e107 CMS in 2010: http://www.esecurityplanet.com/headlines/article.php/3860981/Backdoor-Found-in-e107.htm

Two months ago (2012 Sep) phpmyadmin had a backdoor from one of the SourceForge repositories/mirrors: http://sourceforge.net/blog/phpmyadmin-back-door/

FBI Alleged To Have Backdoored OpenBSD's IPSEC Stack in 2000: http://bsd.slashdot.org/story/10/12/15/004235/FBI-Alleged-To-Have-Backdoored-OpenBSDs-IPSEC-Stack

Opensource has a lot of advantages compared to closed source but this doesn't mean that an opensource project could be safe because of its nature. Continuous penetration testing is musthave.

sh4d0w
  • 325
  • 1
  • 5
  • 1
    Thanks for the OpenBSD IPSEC stack link. I vaguely remember that. Did anything come out of that allegation? I Googled for a while, and found a bunch of denials, but nothing definitive. – Bruce Ediger Oct 31 '12 at 14:12
  • 1
    Nothing for the masses. – sh4d0w Oct 31 '12 at 14:54
1

The FOSDEM 2014 keynote by Poul-Henning Kamp (Varnish and Ntimed lead architect) is very interesting:

This is a ficticious NSA briefing I gave as the closing keynote at FOSDEM 2014

The intent was to make people laugh and think, but I challenge anybody to prove it untrue.

It's all fiction, but it's fiction by someone with tons of experience in open source projects.

Here's the 45 minute video.

And then there is How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer on CloudFlare's blog.

the
  • 1,841
  • 2
  • 17
  • 33
0

I think the biggest protection that most open source projects have is simply who gets access. Since generally not everyone can commit code to a project, those who have been given commit access themselves tend to be active enough that it wouldn't be worth trying to compromise that way. (Its easier just to try to find an existing exploit since the source is available.) Even if you were to try to make an abusive commit, you'd be putting in a lot of effort and face a decent chance of your rogue commit being detected by others prior to reaching a major release, thus burning yourself from the project and giving up all the work you did.

Basically, because the difficulty is high and the potential for reward is low, it simply isn't worth trying to compromise an open source project maliciously. The one place you might see it attempted (from a risk vs. reward standpoint) would be the government trying to do it, but in that case, it would probably be with at least some level of project support and would be concealed carefully. It would also be very hard to do without eventual detection for most software, so it is pretty unlikely even then.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110