Effort to compromise Linux kernel foiled
- By William Jackson
- Nov 10, 2003
A routine integrity check of Linux kernel source code last week discovered a Trojan horse that had been slipped into a copy of the open-source operating system.
A seemingly innocuous line of code had been inserted into a relatively inactive part of the kernel that could have given an unauthorized user root access on machines running the compromised software, said Larry McVoy, chief executive officer of BitMover Inc. of San Francisco.
The change appeared to have been made by a Linux developer but was flagged because it did not show up in a reference copy of the source code. The change apparently was made about 2 a.m. Nov. 5 in the publicly accessible Concurrent Versions System (CVS) database housing the code. It was discovered about four hours later using BitMover's BitKeeper configuration management tool, McVoy said.
'What they found was actually quite clever,' he said. 'A script kiddy could not have done this by casually getting access to it.'
The incident apparently was the first attempt at introducing malicious code into Linux, which is being increasingly used in large data centers, including government installations. Last summer, the National Weather Service began migrating to Linux for its Advanced Weather Interactive Processing system in 122 NWS offices, and the National Science Foundation's Grid Computing project acquired four Linux clusters.
The NSF said it believes Linux will become the dominant operating system for research. The Energy Department's Lawrence Livermore National Laboratory's Linux cluster is the third fastest supercomputer in the world.
BitMover provides free hosting service for Open Source projects managed by BitKeeper, including the Linux kernel. Each day a copy of the kernel is sent to the CVS database. BitKeeper then compares versions in each database, using checksums produced for each file. When a difference was noted last week, its source was traced down to code that had been added to a system handling process calls.
The compromised server was shut down and investigated. It appeared to have been hacked from a university computer, which had in turn been hacked by a third party. The university is working to trace the source of the attack, McVoy said.
McVoy said the Linux kernel is a high-profile Open Source development project, and the security of the code is enhanced by the number of people who examine it.
'I have a lot of faith that the system built up by the open source world works,' he said. 'If we hadn't caught it, somebody else would. But it is gratifying that we were the ones who did it.'
Still, he found the hack disturbing. 'Whoever did this spent some time thinking about it,' he said. 'They were pretty clever. It's annoying to think that anyone who is clever enough to do it would do it.'
He said the incident also is an impetus to enhance BitKeeper with the ability to digitally sign changes made to code.
'This is a great kick in the pants to get busy,' he said. He hopes that ability could come within a year, but does not expect it to come much earlier than that.
William Jackson is a Maryland-based freelance writer.