Backdoors: Definition, Deniability and Detection

Detecting backdoors is a difficult task; automating that detection process is equally challenging. Evidence for these claims lie in both the lack of automated tooling, and the fact that the vast majority of real-world backdoors are still detected by labourious manual analysis. The term backdoor, casually used in both the literature and the media, does not have a concrete or rigorous definition. In this work we provide such a definition. Further, we present a framework for reasoning about backdoors through four key components, which allows them to be modelled succinctly and provides a means of rigorously defining the process of their detection. Moreover, we introduce the notion of deniability in regard to backdoor implementations which permits reasoning about the attribution and accountability of backdoor implementers. We show our framework is able to model eleven, diverse, real-world backdoors, and one, more complex backdoor from the literature, and, in doing so, provides a means to reason about how they can be detected and their deniability. Further, we demonstrate how our framework can be used to decompose backdoor detection methodologies, which serves as a basis for developing future backdoor detection tools, and shows how current state-of-the-art approaches consider neither a sound nor complete model.

[1]  J. D. Bjorken,et al.  From China with love , 1982, Nature.

[2]  Yin Zhang,et al.  Detecting Backdoors , 2000, USENIX Security Symposium.

[3]  Thomas Dullien,et al.  Weird Machines, Exploitability, and Provable Unexploitability , 2020, IEEE Transactions on Emerging Topics in Computing.

[4]  Sergey Bratus,et al.  Interrupt-oriented bugdoor programming: a minimalist approach to bugdooring embedded systems firmware , 2014, ACSAC '14.

[5]  Chris Wysopal,et al.  Static detection of application backdoors , 2010, Datenschutz und Datensicherheit - DuD.

[6]  Herbert Bos,et al.  Instruction-Level Steganography for Covert Trigger-Based Malware - (Extended Abstract) , 2014, DIMVA.

[7]  Tom Chothia,et al.  HumIDIFy: A Tool for Hidden Functionality Detection in Firmware , 2017, DIMVA.

[8]  Sergey Bratus,et al.  "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata , 2013, WOOT.

[9]  Aurélien Francillon,et al.  Implementation and implications of a stealth hard-drive backdoor , 2013, ACSAC.

[10]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[11]  Tom Chothia,et al.  Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality , 2017, ESORICS.

[12]  Thorsten Holz,et al.  Towards reducing the attack surface of software backdoors , 2013, CCS.

[13]  Sergey Bratus,et al.  Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code , 2011, WOOT.