Attempt to Create a Linux Kernel Backdoor

The Linux kernel source is actually maintained with a proprietary program called BitKeeper. Each night its contents are migrated onto the open source Concurrent Versioning System (CVS) for subsequent download by kernel contributors. Now it appears that the BitKeeper to CVS gateway was broken into with intent of adding an automatic switch to root (UID == 0) backdoor into the Linux kernel (see: linux-kernel archive). The new code was placed in the file kernel/exit.c function sys_wait4() (see: linux-kernel archive followup). It was the BitKeeper-to-CVS export process that detected that the CVS exit.c file was newer than the BitKeeper version.

Actually, as long as this type of thing can be seen in source, someone or some program (as in this case) will find it. The real problem occurs when the backdoor code gets into the binary image of a compiler, then it's erased from the compiler source, and it is able to replicate itself with each new version of the kernel.

See Ken Thompson's description: or a local copy

Rumor has it that Thompson was always fascinated with self-replicating code and that he had a similar backdoor into the early versions of Unix.

To see numerous examples of self-replicating code see a different Thompson. If you find this interesting then modify one of these programs so that it not only displays itself, but recompiles and displays itself repeatedly.