Product Security Glossary

Bugdoors

What are Bugdoors?

To understand what bugdoors are you first need to understand what backdoors are.  A backdoor is some hidden mechanism that attackers can use to gain easy access to a computer system, a network device, or an embedded device.  A backdoor can be as simple as a hidden user account, or it can be something more complex.  Attackers can plant rootkits or other types of malware on a system in order to install a backdoor.

Bugdoors are a specific, more subtle type of backdoor.  Attackers can create programs that seem perfectly normal, but that contain hidden backdoors disguised as programming bugs.  Once someone installs a program with a bugdoor, the attacker would be free to access the computer or device.

Why are Bugdoors Dangerous?

Bugdoors are dangerous for the same reason that all other types of backdoors are dangerous.  They allow unauthorized personnel to access computers, network devices, and embedded devices for their own nefarious purposes.  Once in, attackers can do pretty much whatever they want to do on a system.  This could include stealing sensitive data, spying on sensitive communications, or any other type of mischief.

Bugdoors are especially dangerous because it’s harder to detect bugdoors on a running system than it is to detect other types of backdoors.  Scans and audits could possibly detect hidden user accounts and rootkits, but it’s a bit harder to detect when a program has an intentional bug that can provide backdoor access.

Is Open Source Software the Answer for Bugdoors?

With proprietary software, nobody is allowed to see the programming code except for authorized personnel at the software company.  Some people believe that proprietary software represents a security risk, because nobody outside the company is allowed to audit the code for security bugs.

Theoretically, open-source software should be much more secure because anybody who wants to can download the source code and audit it.  The harsh reality though, is that this isn’t always the case.  Many open-source software projects, including projects that provide critical infrastructure for the internet, are often underfunded and understaffed. Even with open-source projects, critical security bugs can lurk undetected for long periods of time.  The good news is that the problem has gotten more attention in recent years, and some rather influential organizations have been doing something about it.  Several years ago, the Linux Foundation set up a fund to issue grants to the developers of critical Internet infrastructure projects.  More recently, GitHub has been developing tools that help developers of open-source software scan their code for security bugs.

How Can We Prevent Bugdoors?

The solution for preventing bugdoors is the same as it is for preventing other types of vulnerabilities.  Software development shops need to integrate security into the entire software development lifecycle.  Too often, software shops look at security as an afterthought, as something that can be bolted on after a software product has already been created.  Unfortunately, this kind of thinking makes it harder to catch those nasty bugs.

Also, vendors and software shops need to ensure that their software supply chain is secure.  Code repositories must be set up with strong authentication to prevent unauthorized personnel from tampering with critical code.  Any third-party components that go into a software product must be audited for vulnerabilities.

Summary

As we’ve seen, bugdoors are an especially dangerous type of backdoor, because they’re harder to detect in finished software than other types of backdoors.  However, they can be prevented by including security as a critical part of the entire software development lifecycle, and by ensuring that only trusted personnel have read-write access to critical code repositories.