Evil code in good source

An interesting discussion on Slashdot recently caught my eye: There are allegations that the FBI planted backdoors into the encryption software used by the OpenBSD operating system. Although the lead developer doubts that such backdoors eventually ended up in OpenBSD, code review is still underway.

But hang on, OpenBSD is an open source operating system. Surely if there were back doors built into the encryption software, somebody would have noticed it by now? After all, OpenBSD has been in active open-source development for 15 years, and the claims are that the backdoors were added a decade ago. Furthermore, OpenBSD is highly reputed for its security and correctness of code.

Well, sometimes the best place to hide something is in plain sight. Although no such backdoor has been found yet, that doesn’t mean that it cannot be there. As a very insightful comment in the Slashdot discussion pointed out, hiding nasty stuff in innocuous-looking source code is a bit of a hobby to some, as can be seen in the yearly Underhanded C Contest.

Have a look, for example, at the 2007 winning entries, where the challenge was to “write a short, simple C program that encrypts/decrypts a file, given a password on the command line.” A small fraction of the time, the program should dramatically compromise the strength of the encryption, and make the ciphertext simple or trivial to crack. However, the source code itself must look absolutely innocent.

The winning entries are fascinating: they exploit subtle programming errors that are almost impossible to pick up, and are highly likely to pass more casual review.

Open source is a brilliant model for improving trust in software, because as Eric Raymond put it, “given enough eyeballs, all bugs are shallow” — and, by extension, sneakiness too. But it’s useful to be reminded that this trust should never be absolute.

Comments are closed.

Switch to our mobile site