7

From my brief understanding of Linux, developers from around the globe submit code to be included into a Linux update. It's then reviewed by security administrators. When approved, it's passed onto Linus, the founder of Linux for his final approval.

With all of this code being submitted by unknown developers throughout the world, how can the security administrators make sure that there isn't any backdoor scripts being added onto the OS? Aren't there like 15 million lines of code? Do the admins of the OS really understand every line of code and know for sure that people haven't submitted something that could corrupt the system such as malware, backdoors or spyware?

Improve this question
3
  • 8
    They wouldn't be good security engineers if they didn't pick those out :-) The same question goes the other way, how can you ever be sure closed source software isn't backdoored if it's not reviewed by many eyes in a community.
    – Nomad
    Commented May 12, 2018 at 16:27
  • 1
    Unknown developers? Last I checked, you have to provide your full, legal name to contribute to the kernel. It's not like there's a kernel.org/submit.php where you can make any changes you want to the live kernel.
    – forest
    Commented May 12, 2018 at 22:50
  • 1
    do think Linus reviews every line of code that goes into all Linux Distros? He must be busier than santa...
    – dandavis
    Commented May 14, 2018 at 20:41

3 Answers 3

Reset to default
19

You are misunderstanding how open source software development works. Not just anyone can modify the kernel, so no "unknown developers from around the world" are submitting mysterious lines of code. In order to make changes directly, you have to be hired by the Linux Foundation or another organization that has access to commit privileges, not just pass a brief check. Everyone else can only suggest improvements (often in the form of a patch) on the public mailing lists, and hope that the official developers will accept their suggestions and make the changes on their behalf. The review of patches is quite intense and patches often have to go through many revisions before being accepted, sometimes with each line being criticized (often for the most trivial things).

This is not so different from closed source development. You could argue that anyone can make modifications to Microsoft Windows simply by looking for a job at Microsoft. The only difference is that open source software is more transparent about their development process.

With all of this code being submitted by unknown developers throughout the world, how can the security administrators make sure that there isn't any backdoor scripts being added onto the OS?

Everything added is reviewed. The only way to get a backdoor in would be to provide a patch that looks good, but which has an exploitable bug that you are aware of. This is possible, but quite unlikely. Developers don't need to be malicious to introduce bugs at staggering rates!

Aren't there like 15 million lines of code?

More, actually. However a large portion of this is for device drivers which you will never even use. The Linux kernel is monolithic, which means hardware-related code is put in the kernel. The core of the kernel itself is actually not that big. It only looks big when you count the fact that it also includes code from obscure karaoke microphone drivers that are not even present in your kernel.

Do the admins of the OS really understand every line of code and know for sure that people haven't submitted something that could corrupt the system such as malware, backdoors or spyware?

No, although some particularly savvy sysadmins do have a good knowledge of how the kernel works internally. There are quite a few eyes on the code in the Linux kernel looking for bugs. It is hard for them all to hide. Yes, it is possible that a bug was secretly introduced (after all, it was attempted and foiled a few times), but the painful truth is, such intentional bugs would be a drop in the water compared to all the naturally existing bugs that find their way into such a huge codebase.

Improve this answer
1
  • 4
    I wish I could give you an upvote for good answer, and another for "obscure karaoke microphone drivers". :)
    – Mike Ounsworth
    Commented May 20, 2021 at 4:13
8

TLDR: You trust the people, their credentials and the companies' interests in securing their infrastructures.

As you would see in several closed an open source projects, the project is divided into smaller parts which are handled by different people. As of the latest Linux kernel report it has about 1600+ developers and 24 million+ lines of code. Of course, you can't expect every developer to know everything. But you can pick the right people to manage say your networking stack or say your USB stack etc. That is what Linux does (you can read more about that in the report).

You pick the right people for the job and then trust them to do them wisely. If they don't, there is another line of defense in terms of the number of people and companies that use these products and have vested interests in ensuring that their infrastructure or packaged solutions are safe. That is how open source software often gets its patches. People who use it find bugs and either just report it or report it and fix it.

It is the open source nature of Linux that provides so many ways in which you protect a system. If it were produced by a single company, you would be placing all your eggs in one basket.

Improve this answer
5

To give a slightly different answer from the others, a few backdoors have been caught in the linux kernel over the years (which means there are maybe some that have not been caught).

I like to cite the example from 2003:

The modified code was this:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
    retval = -EINVAL;

Looks harmless, right? If this function was called with the options __WCLONE and __WALL and you are root ... wait current->uid = 0 ... current->uid == 0 ... huh, that's not asking if you are root, that's setting you to root! So if you call this function with those two options together, then BAM! you're now root!

As it turns out, this change was not even made by a trusted linux contributor; someone hacked into the version control server and planted this code change, and so it was caught when someone noticed that this commit did not have a proper author associated with it (I'm simplifying a bit, you can read the full story at the link above).

What makes you think this kind of attack is unique to open source?

Remember the SolarWinds attack that started in Dec 2020 and raged across the net landscape for the next 4 months?

In this case, the attackers introduced a pre-crafted backdoor into a trusted software product (SolarWinds Orion) that was delivered automatically to thousands of customers, disguised as a normal update. (source)

Well that sounds familiar!

So I think you are completely correct to worry about insider threat and backdoors in software, but this problem is definitely not unique to open source! If anything, these types of backdoors are more likely to be caught in open source where you typically have dozens to hundreds of contributors and a very strict pull request and code review process, compared to private companies where devs tend to work on teams of 6 - 10 and typically everybody can put code straight on the master branch and skip code-review if they want to (it's often considered rude to do that, but often not strictly enforced).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .