Skip to main content

Backdoors: Definition, Deniability and Detection

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11050)

Abstract

Detecting backdoors is a difficult task; automating that detection process is equally challenging. Evidence for these claims lie in both the lack of automated tooling, and the fact that the vast majority of real-world backdoors are still detected by labourious manual analysis. The term backdoor, casually used in both the literature and the media, does not have a concrete or rigorous definition. In this work we provide such a definition. Further, we present a framework for reasoning about backdoors through four key components, which allows them to be modelled succinctly and provides a means of rigorously defining the process of their detection. Moreover, we introduce the notion of deniability in regard to backdoor implementations which permits reasoning about the attribution and accountability of backdoor implementers. We show our framework is able to model eleven, diverse, real-world backdoors, and one, more complex backdoor from the literature, and, in doing so, provides a means to reason about how they can be detected and their deniability. Further, we demonstrate how our framework can be used to decompose backdoor detection methodologies, which serves as a basis for developing future backdoor detection tools, and shows how current state-of-the-art approaches consider neither a sound nor complete model.

Keywords

  • Backdoors
  • Formalisation of definitions
  • Program analysis

This article is based upon work supported by COST Action IC1403 (CRYPTACUS).

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-00470-5_5
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-00470-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.

References

  1. An attempt to backdoor the kernel (2003). https://lwn.net/Articles/57135/

  2. From China with Love (2013). http://www.devttys0.com/2013/10/from-china-with-love/

  3. How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA (2013). https://www.wired.com/2013/09/nsa-backdoor/

  4. Multiple Vulnerabilities in D-Link DIR-600 and DIR-300 (rev B) (2013). http://www.s3cur1ty.de/node/672

  5. Reverse Engineering a D-Link Backdoor (2013). http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

  6. TCP-32764 Backdoor (2013). https://github.com/elvanderb/TCP-32764

  7. Why everyone is left less secure when the NSA doesn’t help fix security flaws (2013). https://bit.ly/2JJ9Zsg

  8. Inside the EquationDrug Espionage Platform (2015). https://securelist.com/inside-the-equationdrug-espionage-platform/69203/

  9. Adups Backdoor (2016). https://www.kryptowire.com/adups_security_analysis.html

  10. Backdoor in Sony IPELA Engine IP Cameras (2016). https://sec-consult.com/en/blog/2016/12/backdoor-in-sony-ipela-engine-ip-cameras/

  11. Multiple vulnerabilities found in Quanta LTE routers (2016). http://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html

  12. Netis Router Backdoor Update (2016). https://blog.trendmicro.com/netis-router-backdoor-update/

  13. Hacking the Western Digital MyClound NAS (2017). https://blog.exploitee.rs/2017/hacking_wd_mycloud/

  14. Andriesse, D., Bos, H.: Instruction-level steganography for covert trigger-based malware. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 41–50. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_3

    CrossRef  Google Scholar 

  15. Dullien, T.F.: Weird machines, exploitability, and provable unexploitability. IEEE Transactions on Emerging Topics in Computing Preprint (2017)

    Google Scholar 

  16. Oakley, J., Bratus, S.: Exploiting the hard-working DWARF: Trojan and exploit techniques with no native executable code. In: 5th USENIX Conference on Offensive Technologies (2011)

    Google Scholar 

  17. Schuster, F., Holz, T.: Towards reducing the attack surface of software backdoors. In: 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)

    Google Scholar 

  18. Shapiro, R., Bratus, S., Smith, S.W.: “Weird Machines” in ELF: a spotlight on the underappreciated metadata. In: 7th USENIX Conference on Offensive Technologies (2013)

    Google Scholar 

  19. Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: 2015 Network and Distributed System Security Symposium (2015)

    Google Scholar 

  20. Tan, S.J., Bratus, S., Goodspeed, T.: Interrupt-oriented bugdoor programming: a minimalist approach to bugdooring embedded systems firmware. In: 30th Annual Computer Security Applications Conference (2014)

    Google Scholar 

  21. Thomas, S.L., Chothia, T., Garcia, F.D.: Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 513–531. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_28

    CrossRef  Google Scholar 

  22. Thomas, S.L., Garcia, F.D., Chothia, T.: HumIDIFy: a tool for hidden functionality detection in firmware. In: Polychronakis, M., Meier, M. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. LNCS. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_13

    CrossRef  Google Scholar 

  23. Wysopal, C., Eng, C.: Static Detection of Application Backdoors. Black Hat USA (2007)

    Google Scholar 

  24. Zaddach, J., et al.: Implementation and implications of a stealth hard-drive backdoor. In: 29th Annual Computer Security Applications Conference (2013)

    Google Scholar 

  25. Zhang, Y., Paxson, V.: Detecting backdoors. In: 9th USENIX Conference on Security Symposium (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sam L. Thomas .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Thomas, S.L., Francillon, A. (2018). Backdoors: Definition, Deniability and Detection. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)