Understanding the Linux Backdoor: Implications for Open Source [When Penguins Cry]

Dave's Garage
4 Apr 202410:06

Summary

TLDR在这段视频中,Dave,一位退休的微软操作系统工程师,讨论了一个新发现的SSH后门漏洞,该漏洞被插入到Linux系统中。这个后门允许持有私钥的攻击者无需密码即可登录任何受影响的Linux服务器,并获得根访问权限。幸运的是,这个后门在造成广泛影响之前被一位微软员工发现,他在进行PostgreSQL数据库的基准测试时注意到SSH登录时间异常。Dave还探讨了开源和闭源系统在防止此类后门方面的优劣,指出尽管开源代码可以被任何人审查,但并非所有代码,特别是像XZ utils这样的小众项目,都会得到应有的关注。他强调了严格的商业发布流程,如Windows NT所采用的,如何通过多层次的代码审查和验证测试来捕捉这类问题。此外,Dave还分享了自己在微软实习期间的一次后门事件,强调了代码审查的重要性。

Takeaways

  • 🚪 存在一个SSH漏洞,可能允许攻击者登录任何Linux系统。
  • 🔑 漏洞涉及一个后门私钥,它被嵌入到SSH中,使得持有相应公钥的人可以无需密码登录。
  • 🧩 这个后门是通过XZ utils的代码提交引入的,影响了5.60和5.61版本。
  • 🔍 尽管代码本身没有修改,但通过Makefile注入了加密压缩的二进制数据,这在源代码审查中很难被发现。
  • 🛡️ 如果这个后门没有被及时发现,对Linux系统来说将是灾难性的。
  • 👀 一个在微软工作的PostgreSQL数据库基准测试人员注意到SSH登录时间变长,从而揭露了这个后门。
  • 🤔 开源和闭源系统在防止此类后门方面哪个更安全,是一个值得探讨的问题。
  • 📈 在商业发布中,代码变更会经过多层次的审查和验证测试,这有助于及早发现问题。
  • 👥 在Linux中,如果变更涉及到许多人关心的部分,可能会受到更多的审查。
  • 📚 作者在微软的实习经历中,有一个实习生在MS-DOS的复制命令中添加了一个特殊开关,这在源代码变更审查中被发现。
  • ✅ 微软在作者任职期间据其所知没有被插入过任何后门,这可能归功于严格的审查流程和一些运气。

Q & A

  • 视频中提到的Linux后门是如何工作的?

    -视频中提到,攻击者在Linux系统中插入了一个后门,该后门通过在SSH中查找一个私钥,并内置一个公钥。任何拥有这个私钥的人都可以无需密码就能通过SSH连接到任何带有该后门的Linux服务器,并获得root访问权限,从而对系统进行无限制的操作。

  • 这个后门的潜在影响是什么?

    -如果这个后门没有被及时发现,其潜在影响将是灾难性的。攻击者可以利用这个后门对任何受影响的Linux系统进行完全控制,这对于系统的安全性和用户的隐私权都是极大的威胁。

  • 这个后门是如何被插入到Linux系统中的?

    -后门是通过在XZ utils的5.60和5.61版本中插入代码实现的。开发者没有修改源代码,而是注入了加密和压缩的二进制数据,这些数据通过make文件在构建过程中被解密并插入。这意味着源代码审查不会发现任何变化,从而隐蔽了后门的存在。

  • 这个后门是如何被发现的?

    -一个在微软工作的基准测试人员在进行PostGIS数据库测试时,注意到SSH登录时间突然变长,这引起了他的注意。他深入研究并发现了这个后门,随后公布了这一信息。

  • 开源系统和闭源系统在防止此类后门方面哪个更有优势?

    -视频作者认为,在这种情况下,源代码的开放性并不是最关键的因素。开源系统的make文件和源代码一样公开,但可能没有得到足够的审查。而在闭源系统中,如Windows NT,代码变更需要经过多层次的审核和测试,这可能更有助于早期发现并阻止此类后门的出现。

  • 视频作者在微软的工作经历中有没有遇到过类似的情况?

    -视频作者在微软实习期间,有一个实习生同事在MS-DOS项目中尝试插入一个特殊命令行开关,用于打印不当信息。这个行为在源代码审查中被发现并阻止了。作者在微软的30年经历中,据他所知,Windows没有被插入过类似的后门。

  • 如何保护自己的Linux系统不受此类后门的影响?

    -用户应确保不使用受影响的XZ utils版本,并及时关注相关安全公告和更新。同时,可以通过审查系统的SSH配置和日志来检测是否有异常登录行为。

  • 视频作者对于开源社区在审查代码变更方面的看法是什么?

    -作者认为,开源社区中的代码变更审查可能不如商业闭源系统那样严格。特别是在不太受关注的项目部分,如XZ utils,可能不会得到应有的审查。

  • 在微软工作期间,代码变更的审查流程是怎样的?

    -在微软,代码变更需要经过多层次的审查和测试。首先,有一个专门的构建实验室会独立构建变更,然后通过基本构建和基本验证测试(BVTs)来确保功能正常和性能没有下降。这种严格的流程有助于早期发现并阻止潜在的问题。

  • 视频作者对于防止此类后门出现的建议是什么?

    -作者建议,无论是开源还是闭源系统,都需要有严格的代码审查流程和测试机制。同时,开发者和维护者需要对代码变更进行仔细的审查,以确保系统的安全性。

  • 视频作者提到的“幸运”在防止后门方面扮演了什么角色?

    -作者认为,尽管有严格的流程和审查,但很多时候防止后门的出现还是依赖于一定的运气。这意味着不能保证所有的安全问题都能被发现,但良好的流程和审查可以最大限度地减少这种风险。

Outlines

00:00

😀 Linux SSH后门漏洞及其影响

本段落介绍了Linux系统中新发现的SSH后门漏洞。该漏洞允许攻击者使用私钥登录任何受影响的Linux系统,无需密码即可获得root权限。该后门是通过XZ utils的5.60和5.61版本中的代码变更引入的,但并未广泛传播。发现该漏洞的是一位在微软工作的基准测试人员,他注意到SSH登录时间异常。尽管Linux是开源系统,但该漏洞的隐蔽性表明,即使是开源代码的审查也可能遗漏某些问题。

05:01

🤔 开源与闭源系统的安全性比较

该段落讨论了开源系统与闭源系统在防止后门漏洞方面的安全性。尽管开源代码可以被任何人审查,但实际上很少有人会去审查构建过程中的make文件。相比之下,像Windows NT这样的商业软件会经过更多的审查和测试流程,这有助于及早发现问题。作者通过自己在微软的经历,说明了严格的代码审查和测试流程的重要性,以及它们如何帮助维护软件的安全性。

10:02

📚 个人经历与后门故事

在最后一段中,演讲者分享了自己在微软实习期间的个人经历,其中包括一个实习生在MS-DOS的复制命令中添加了一个特殊的命令行开关,用以恶作剧。这个行为最终在代码审查中被发现,而演讲者本人并不知情。这个小插曲说明了即使是在严格的审查流程下,也可能有人试图引入不当的代码。幸运的是,该行为被及时发现,没有造成更大的影响。

Mindmap

Keywords

💡Linux

Linux是一种开源的操作系统内核,广泛用于服务器、桌面、移动设备和嵌入式系统。在视频中,Linux是讨论的主题之一,因为提到了一个可能影响所有Linux系统的SSH后门漏洞。

💡SSH

SSH(安全外壳协议)是一种加密的网络协议,用于安全地访问远程计算机。视频中提到SSH被插入了一个后门,允许攻击者使用特定的私钥登录到任何Linux系统。

💡后门

后门是一种在软件中故意留下的安全漏洞,允许未经授权的访问。视频中讨论了一个在Linux系统中发现的SSH后门,它允许攻击者绕过正常的认证过程。

💡XZ utils

XZ utils是一个开源的文件压缩工具,它包含了一个被恶意代码感染的版本,这个版本将SSH的后门公钥嵌入到了Linux系统中。视频中提到了XZ utils作为后门被插入的载体。

💡私钥和公钥

私钥和公钥是一对在加密通信中使用的密钥。在SSH后门的上下文中,攻击者拥有私钥,而受感染的SSH服务器包含相应的公钥,使得攻击者能够无需密码登录。

💡开源与闭源

开源软件和闭源软件是两种不同的软件开发和分发模式。开源软件允许用户查看和修改源代码,而闭源软件则不公开源代码。视频中讨论了这两种模式在防止后门漏洞方面的优劣。

💡代码审查

代码审查是一种质量保证过程,其中开发者的代码更改由其他开发者检查以发现错误或安全漏洞。视频中提到了代码审查在发现后门方面的重要性。

💡构建过程

构建过程是将源代码转换为可执行程序的一系列步骤。视频中提到了攻击者通过修改构建过程中的make文件来嵌入后门,而不是直接修改源代码。

💡性能基准测试

性能基准测试是一种评估软件性能的方法,通过运行一系列测试来比较不同系统或配置的性能。视频中提到了一个微软员工在进行基准测试时发现了SSH登录时间的异常,这最终帮助发现了后门。

💡make文件

make文件是一种特殊格式的文件,用于指导构建系统如何编译和链接程序。在视频中,攻击者通过在make文件中注入加密的二进制数据来嵌入后门,而不是修改源代码。

💡安全漏洞

安全漏洞是指计算机系统或网络中的弱点,可以被攻击者利用以获取未授权的访问或造成损害。SSH后门就是一个安全漏洞的例子,它允许攻击者绕过正常的认证机制。

Highlights

存在一个SSH漏洞,可能允许攻击者登录任何Linux系统

该漏洞是插入到Linux SSH中的一个后门,如果未被及时发现,后果将不堪设想

后门通过在XZ utils中嵌入公钥,允许持有私钥的人无需密码即可登录

攻击者可以获取任何受影响Linux系统的root访问权限

后门代码通过Makefile注入,不修改源代码,因此难以通过源代码审查发现

XZ utils的5.60和5.61版本中存在该后门,但未广泛传播到主流Linux发行版

非主流版本用户如果不使用最新版本,可能不会受到该后门的影响

一个在微软工作的Postgres数据库基准测试员发现了SSH登录延迟的问题,进而揭露了这个后门

开源系统和闭源系统在防止后门方面都有各自的优势和挑战

在微软,代码变更会经过多层次的审查和测试,以确保性能和安全性

在Linux中,代码审查可能不如商业软件严格,尤其是关注度较低的部分

作者在微软实习期间,一个实习生在MS-DOS中添加了一个特殊的命令行开关,作为恶作剧

该恶作剧被发现并导致该实习生未能继续在微软工作

作者认为,尽管有可能存在未被发现的后门,但微软Windows系统并未被证实有后门

微软通过严格的代码审查和变更流程,确保了产品的安全性

作者强调了审查流程和检查平衡的重要性,以及它们在防止不当行为中的作用

尽管存在严格的流程,但不能保证发现所有的安全问题,但可以大大减少风险

Transcripts

00:00

so I don't want to scare you but did you

00:01

know that somebody checked a back door

00:02

into Linux that allows the attacker to

00:04

log into any Linux system I'll tell you

00:07

about that and I'll also tell you about

00:09

the time somebody tried to check a back

00:10

door into Ms Doss and did it from my

00:13

office that's a cool

00:14

[Music]

00:21

story hey I'm Dave welcome to my shop

00:24

I'm Dave plumber retired operating

00:26

systems engineer from Microsoft going

00:27

back to the MSDS and Windows 95 days and

00:30

today we're going to talk about the new

00:32

SSH vulnerability back door that's been

00:34

inserted into Linux what it means how it

00:36

works and what the implications are and

00:38

whether open source is any better off

00:39

than closed source and these types of

00:41

scenarios first off obviously I'm not a

00:43

Linux developer I mean I write code for

00:45

Linux but I've never contributed at

00:46

least not since about 1993 when I

00:49

checked in a bugfix to was it Minix I

00:51

think it was early Linux um or email the

00:54

I should say but suffice to say I'm not

00:56

a Linux contributor or developer so

00:57

while I may not be a Linux expert that's

00:59

probably good for you right now cuz I

01:01

have to explain things in terms that I

01:02

understand which means you will likely

01:04

understand them as well so before we

01:06

look at what happened first what are the

01:08

implications what does this back door do

01:10

somebody checked in some code and it

01:12

looks for a private key and it has a

01:14

public key built into SSH and what are

01:16

the implications well to put it simply

01:22

catastrophic had this not been detected

01:24

as early as it was it would have been

01:26

truly catastrophic for Linux because

01:28

let's say that this this is a nation

01:30

state what they've done is they've built

01:32

a backdoor private key into SSH that

01:35

anybody with the public key or actually

01:37

vice versa they put the public key in

01:38

the product and then they hold the

01:39

private key anybody who holds that

01:41

private key and only that person nobody

01:43

else can use this exploit I should be

01:45

clear about that only if you hold the

01:47

private key which the original person

01:48

who inserted the back door does then you

01:51

can connect to any Linux server with

01:53

this back door inserted in fact you

01:55

don't need a password you just need to

01:56

connect by SSH and the SSH server will

01:58

say hey you've got the right private key

02:00

in your metadata or whatever extra data

02:02

is sent along with login request it

02:04

matches that logs you right in basically

02:07

not only a completely open door it's

02:09

even better than that because it gives

02:10

you root access

02:15

I that side of it's a little more

02:16

technical but suffice to say the result

02:19

is that you get unfettered access to any

02:21

Linux system in the world that you want

02:23

that's running this exploit and you get

02:25

rud access so how' they do it well what

02:27

they did is they checked code into XZ

02:29

utils and when I'm saying they I'm

02:32

talking about one of the main developers

02:34

of the XZ utils the good news is this is

02:36

in 5.60 and 5.61 versions of the XD

02:39

utils and that's pretty much bleeding

02:41

edge it did make it into a few very

02:43

early drops of dros but not it's not

02:46

going to be like in 20.04 won't be

02:47

picked up immediately or anything into

02:49

there so if you're not running on the

02:51

bleeding edge long story short you're

02:53

probably

02:54

safe but surely you can't put a price on

02:57

your login safety I wouldn't have

02:59

thought so either but here we are so

03:01

they checked code into xzu tills that

03:03

long story short bakes the public key

03:06

into SSH and then accepts connections

03:07

from anybody with the private key but

03:10

wouldn't that be obvious it seems like

03:11

this should be obvious and easy to

03:13

detect just by reviewing the source code

03:15

change logs but in fact it's not because

03:17

they were very clever about how they did

03:19

it they didn't modify the source code at

03:21

all instead they injected encrypted and

03:24

compressed binary data that is decrypted

03:26

and then inserted into the build process

03:28

via the make file for the XZ tills if I

03:31

understand it correctly but this means

03:33

there's no changes to the code so

03:35

anybody reviewing the source code

03:36

changes doesn't see any change and who

03:39

reads make file changes I mean they're

03:40

pretty obtuse and opaque to begin with

03:42

and if you have any idea what a make

03:44

file is doing it's either a simple make

03:45

file or you're having a really good day

03:47

because a lot of make files are pretty

03:49

complex and hard to follow once you get

03:51

to a certain complexity of a project so

03:53

at this point we've got a back door in

03:54

the Linux source code and all we have to

03:56

do or all they have to do is wait for it

03:58

to be propagated through out all the

04:00

builds and dros and trickle down

04:02

everybody and if it doesn't get caught

04:03

before that boom hey by the way one

04:07

thing I've noticed lately on YouTube is

04:08

that people are like bang ending their

04:10

videos immediately and I guess this must

04:12

appease the algorithm in some way so I'm

04:14

going to do that today which means if

04:16

I'm going to tell you the stuff that I

04:17

tell you at the end of every episode I

04:18

have to tell you now like halfway

04:20

through so here it is I'm mostly in this

04:22

for the subs and likes so if you're

04:23

finding today's episode to be any

04:25

combination of informative or

04:26

entertaining please leave me one of each

04:28

before you go today and if you or

04:30

anybody you know is on the Spectrum then

04:32

please check out the free sample of my

04:34

book on Amazon where I tell you

04:35

everything I know about autism that I

04:37

wish I'd know in way back then so who

04:39

caught it

04:41

Microsoft well not really Microsoft guy

04:43

that works for Microsoft also happens to

04:46

do benchmarking and so on on the postgis

04:49

database and he was running his tests

04:51

and he noticed that the SSH logins were

04:53

taking a lot longer than they used to

04:54

and this happened all of a sudden so he

04:57

dug into it and he's the hero that found

04:59

the information and the back door and

05:00

published it and let us all know about

05:02

it so had it not been for that this

05:04

would have likely been uncaught now of

05:07

course this promps the bigger question

05:08

of which is more protective against this

05:10

type of back door an open source system

05:12

or a closed Source system and I'd say in

05:15

this case the source code actually isn't

05:17

all that relevant of course it's open

05:19

but so is the make file was anybody

05:21

really scrutinizing the make file and if

05:22

they had would they have caught it if

05:24

they looked at it carefully well nobody

05:26

even at Microsoft is probably hand

05:28

reviewing and scrutinizing the make

05:29

build code changes unless they cause a

05:31

problem if they slow things down they're

05:34

going to take a look at it but if you

05:35

make changes to the make file and the

05:37

binary pops out then everything is cool

05:39

it's probably not going to get that much

05:40

scrutiny unlike a change to the actual

05:42

source code that's going to go through

05:43

several layers of review and approval

05:46

and again I've been gone for Microsoft

05:47

20 years so I'm talking about how we did

05:49

it back 20 years ago which was probably

05:50

pretty sloppy and lazy and horrible

05:52

compared to what they're doing now but

05:54

here's the beauty of a regimental

05:56

commercial release with something like

05:57

Windows NT you don't just check in code

06:00

and then wait for it to show up in the

06:01

build it goes through a lot of processes

06:03

in between first there's a build lab

06:05

that picks up just your change build

06:06

your change independently builds a build

06:08

with your change kicks that out and it

06:11

goes through basic build and when all

06:13

the changes are collected for the day

06:14

that build will go through bvts or basic

06:17

verification tests and that's going to

06:18

check to make sure that all the normal

06:20

stuff works the smoke tests pass the

06:22

build boots does everything correctly

06:24

and that the performance is not

06:25

seriously degraded from previous builds

06:27

and that's how it would have been caught

06:28

early at Microsoft because the

06:29

significant impact to the login chain

06:32

would have caused the regression in when

06:33

log on if it were you know the

06:35

equivalent component in Windows and that

06:37

would have been detected immediately now

06:40

that's not to say that every such change

06:42

would be so it's not a golden guarantee

06:44

or anything but the fact that any change

06:47

to the product goes through both human

06:48

manual review of the textual changes to

06:50

the source code and then through a bunch

06:52

of verification tests and benchmarks and

06:54

several other verification tests that

06:56

make sure the functionality and the

06:58

performance hasn't regressed that

07:00

catches a lot of things it still won't

07:02

catch everything be clear on that so

07:04

there is no Panacea now the other thing

07:06

is when you're checking into code say

07:07

I'm checking into the heat manager well

07:09

the guy who write wrote The Heat manager

07:11

and the person who maintains the heat

07:12

manager is going to very carefully check

07:15

my changes when you get something like

07:16

exz utils I think there was only two

07:18

people working on it so did the other

07:19

person really vet these changes very

07:21

carefully or did lonus you know get out

07:23

of his computer and check every line I

07:25

doubt that so who is actually vetting

07:27

these changes as they go into the build

07:28

and the answer is I don't know because

07:30

I'm not involved in that process so I

07:32

can't really speak to what goes on

07:34

behind the scenes in Linux I can only

07:36

tell you what used to happen in Windows

07:38

how that you extrapolate that forward

07:39

and assume they're more careful now and

07:41

the protective aspects of that now the

07:43

difference is if it's in a part of Linux

07:44

that a lot of people care about a lot of

07:46

people are going to look at it but if

07:47

it's in a part of Linux that a lot of

07:48

people don't care about like xzu tills

07:51

then it's probably not going to get the

07:52

scrutiny that it deserves especially

07:54

when you see the implications of how

07:55

this change manifests so now a bit of my

07:58

own back door stories

08:00

when I was an intern in 1993 I was in MS

08:02

DOS working on MS DOS 6.2 where I worked

08:05

on Smart drive and highe and some of the

08:07

compression engine relocation disc copy

08:11

setup whole bunch of stuff and there was

08:13

a guy in my office that was also an

08:14

intern so we shared an office because we

08:16

were just interns and he decided that he

08:19

was working I believe on the copy

08:20

command and he took the opportunity to

08:22

check not a back door per se but a

08:24

special command line switch so instead

08:26

of you know how with x copy SLS we'll do

08:29

folder

08:30

well with copy he added it so that slart

08:33

which is like asky 254 I forget the

08:35

actual OEM code page at this moment but

08:38

whatever it was he used a special

08:40

graphic character and he made that a

08:41

command line switch and it would just

08:42

print I love sex over and over and over

08:44

and over and over and it would print

08:45

that out I didn't know anything about

08:47

this and then after I'm done my

08:49

internship I get a call from my manager

08:51

at the time who calls me at home and

08:52

says yeah so what did you know about

08:54

this and the answer was I knew nothing

08:57

and uh naturally they did not invite get

08:59

the guy back it was caught in the manual

09:01

source code Change review that I spoke

09:02

of earlier or however they caught it and

09:05

it did not look good for him I don't

09:06

know what the repercussions were I don't

09:08

know what they did I wasn't involved all

09:10

I know is that they took me at my word

09:12

that I wasn't involved and thankfully

09:13

for that because I want up working on

09:15

Microsoft for a long time and I don't

09:17

know if I would have hired me after that

09:18

little incident in my office did I

09:20

really not know about it I didn't so now

09:23

in all my time at Microsoft and in the

09:24

two decades since over this course of 30

09:27

years of Windows and Ms Doss to my

09:29

knowledge there has never been a back

09:30

door inserted into Windows now it's

09:33

possible that one has and it's just

09:34

never been found but I would assume that

09:36

by now there would be some exploit that

09:38

would take advantage of it is that

09:39

diligence process Superior coding or

09:41

pure luck well I'm going to guess a lot

09:43

of it's luck but a lot of it is process

09:46

doesn't mean the developers are any

09:47

smarter it does mean that people have

09:49

day jobs where they are assigned to look

09:50

at code changes in other people's

09:52

products whether they want to or not

09:54

then they are responsible for anything

09:55

that happens as a result of those

09:56

changes and that makes people pretty

09:58

honest and as for the people that aren't

10:00

honest there are processes and checks

10:02

and balances to make sure they don't do

10:04

a lot of harm thanks for joining me see

10:06

you

Rate This

5.0 / 5 (0 votes)

相关标签
Linux安全SSH漏洞后门风险开源系统闭源系统代码审查技术讲解网络安全微软工程师漏洞检测系统防护