White paper: Linux vulnerable to infiltration

Linux source code could be infiltrated by dubious elements, including spies, according to a white paper released by Dan O'Dowd, CEO of Green Hills Software Inc.

This is O'Dowd's second white paper in a series that his company describes as being focused on "the urgent security threat posed by the use of the Linux operating system in U.S. defense systems, including the Future Combat System and Global Information Grid."

Provocatively titled "'Many Eyes' - No Assurance Against Many Spies," the paper claims to debunk the fallacy that giving "many eyes" access to Linux source code ensures that it's free of Trojan horses or other malicious software.

Here is O'Dowd's argument:

"Now that foreign intelligence services and terrorists know that we plan to trust Linux to run some of our most advanced defense systems, we must expect them to deploy spies to infiltrate Linux. The risk is particularly acute since many Linux contributors are based in countries from which the U.S. would never purchase commercial defense software. Some Linux providers even outsource their development to China and Russia."

O'Dowd said the assumption that Linux is safe is based on what he calls "the dangerous misconception that the so-called 'many eyes' looking at Linux source code will find any malicious bugs hidden in Linux by foreign intelligence agents or terrorists."

"This misconception is based on the silly assumption that looking at source code is an effective way of finding bugs," he continues.

"Hundreds of bugs that attackers can exploit to penetrate Linux security are identified every year. Many of these critical security bugs have been in the code for years without being detected by the 'many eyes' looking at the source code," O'Dowd writes. "How can anyone believe that the open source process can eradicate all of the cleverly hidden intentional bugs put in by foreign intelligence agents and terrorists when the process can't find thousands of unintentional bugs left lying around in the source code?"

Then O'Dowd contrasts the vulnerability (as he sees it) of Linux with the designed-in security of Green Hills Software's products. His 12-year-old Santa Barbara, Calif.-based company specializes in real-time operating systems and software development tools for 32- and 64-bit embedded systems.

"Many people believe that it is impossible for any operating system to have no known bugs in security-critical code, implying that no operating system is really secure," he declares. "But that is not true. There are no outstanding bugs in our DO-178B Level A certified INTEGRITY-178B real-time operating system. This is the true reliability and security that our national defense systems need."

The white paper reviews mechanisms that O'Dowd believes can be used to infiltrate and compromise Linux and its source code. He also explains why he believes malicious code can easily escape detection.

The white paper is available online.

This story, "White paper: Linux vulnerable to infiltration" was originally published by LinuxWorld-(US).


Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon