Attack on Linux foiled

[megman]

An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel stored at a publicly accessible database.

Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said Thursday. The public database was used only to provide the latest beta, or test version, of the Linux kernel to users of the Concurrent Versions System (CVS), a program designed to manage source code.

The changes, which would have introduced a security flaw to the kernel, never became a part of the Linux code and, thus, were never a threat, said Larry McVoy, founder of software company BitMover and primary architect of the source-code database BitKeeper.

"This never got close to the development tree," he said. "BitKeeper is really paranoid about integrity, and it turns out that was key to finding this Trojan horse."

Linus Torvalds, the original creator of Linux and the lead developer of the kernel, uses BitKeeper to keep track of changes in the core software for the operating system. On a daily basis, the software exports those changes to public and private databases used by other developers.

One server apparently was earlier compromised by an intruder, and the attacker used his access to make a small change to one of the source-code files, M. McVoy said. The change created a flaw that could have elevated a person's privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected and only during a 24-hour period, he added.

"The first thing we did was fix the difference," he said. "It took me five minutes to find the change."

When BitKeeper exports the source code to other servers, it checks the integrity of every file, matching a digital fingerprint of its official version of the file with the version on the remote machine. That comparison caught the change to the code stored on the server.

The changes looked like they were made by another developer, but that programmer said he hadn't submitted them, Mr. McVoy said.

The recent incident raises questions about the security of open-source development methods, particularly how well a development team can guarantee that any changes are not introducing intentional security flaws. While Microsoft code has had similar problems — the most notable are so-called "Easter Eggs" such as the flight simulator included in earlier versions of Excel — closed development is widely considered to be harder to exploit in that way.

Linus Torvalds addressed the issue in a post to the Linux kernel mailing list.

"A few things do make the current system fairly secure," he stated. "One of them is that if somebody were to actually access the (BitKeeper) trees (software repositories) directly, that would be noticed immediately."

A critical security flaw was found in CVS in January, but it's unknown whether the attacker used the vulnerability to gain access to the CVS database.

BitKeeper's McVoy hopes the current incident will quash objections raised by some members of the development who don't want to add a new feature that would require all changes to be digitally signed.

Even so, he said, the open-source development model likely would have quickly turned up any security flaws.

"A Trojan horse is just a bug that a person has put into the system deliberately," he said. "The open-source security model is that everyone is using this stuff, so bugs get found and get fixed. That's one of the reasons that you are not hearing me not freak about this."

Mr. McVoy said that the disk from the compromised server has been saved for later analysis, but any decision to contact law enforcement belongs to Mr. Torvalds and others.

Mr. Torvalds could not be immediately reached for comment.