Tuesday, December 22, 2015

What is a Backdoor ?


Suppose, you have saved your password in your laptop. So, anyone who has access to your laptop, can get unauthorized access to your account. And that is a simple way of saying what a Backdoor is.

A Backdoor is a method for bypassing normal authentication in a system and thus, provide unauthorized remote access to the system to malicious users.








A Backdoor may be implemented as a hidden part of a program or a seperate program or even be implemented by hardware.

Just to give an example, in 2003 a Backdoor was planted in Linux Kernel. In a conditional statement for checking root access permission, '==' was replaced with '='. As a result, it gave unauthorizd access to malicious callers. Even very recently, in 2015, Juniper Networks have warned about a malicious Backdoor in their firewalls that automatically decrypts VPN traffic.




There are two types of Backdoors – Object Code Backdoors and Asymmetric Backdoors.

In Object Code Backdoors, software source code remains unchanged, but the object code gets modified maliciously. As the object code is designed to be machine readable, it becomes much more difficult to detect. These type of Backdoors are inserted in the on-disk object code or inserted at some point during compilation, linking or loading.

Recompiling the software source code may get rid of the Backdoors. So, malicious users sometimes change the compiler source code in such a way that, whenever it compiles, links and loads the source code, the Backdoor is inserted. These Backdoors can be fixed by recompiling the compiler and removing the Backdoor inserting codes.


Normally, Backdoors are symmetric. Anyone who finds the Backdoor, can in turn use it. But, Asymmetric Backdoors can be exploited only by the attacker who plants it, even if the Backdoor implementation becomes public. This type of attacks are termed as Kleptography and they can be carried out in software, hardware or in combination of both. The theory of Asymmetric Backdoors is a part of a larger field named Cryptovirology.




Countermeasures

  • Once Backdoors are detected, rebuild a clean system and transfer data.
  • Another method is to use Diverse Double Compiling or DDC. It requires a different compiler and the source code of the compiler to be tested. That source code, while compiled with two different compilers, would result in two different stage-1 compilers showing same behavior. Thus, the same source code compiled in two different stage-1 compilers, must result in two identical stage-2 compilers. This method was applied to verify that C compiler of GCC Suite contained no trojan, using the icc as the other compiler. Normally, Operating Systems vendors implement these type of methods to make sure they are not distributing a compromised system.




This was an introductory article on Backdoors. Hope you enjoyed it.


No comments:

Post a Comment