Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
Gentoo Portage Attack Tree
ervin.nemeth at niif
Nov 8, 2004, 2:37 AM
Post #1 of 4 (1538 views)
Permalink
Peter Simons wrote:
> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on
> the Gentoo main system.
>
> (2) Sign the output with GPG.
>
> (3) Put it into the portage tree.
>
> (4) If the user has GPG installed and has manually put the
> appropriate public key in some place _outside_ of the
> portage tree, have "emerge sync" verify that the
> signature is intact and all hashes hold.
>
> (5) Missing files in the tree are okay (rsync_excludes),
> files in the tree which do not have a hash are not okay.

This is a good start, but I have some thoughts.

Let's see the attack tree against Gentoo portage. The attacker wants to
inject malicious code into the tree, he has several choices now:

1) Attack the end user's machine

2) Attack the connection between the end user and the Portage mirror

3) Attack the mirror machine

4) Attack the connection between the main site and the mirror

5) Attack the main site

6) Attack the connection between the developer and the main site

7) Attack the developer's machine

Your algorithm eliminates the risc in leafs from 2 to 4.

How about this: the developers have to sign the files they upload, but
do this before they upload them,? This would eliminate leafs 5 and 6, too.


/Ervin

--
gentoo-security@gentoo.org mailing list
Re: Gentoo Portage Attack Tree [ In reply to ]
klieber at gentoo
Nov 8, 2004, 3:11 AM
Post #2 of 4 (1456 views)
Permalink
On Mon, Nov 08, 2004 at 10:37:16AM +0100 or thereabouts, Ervin N?meth wrote:
> How about this: the developers have to sign the files they upload, but
> do this before they upload them,? This would eliminate leafs 5 and 6, too.

This is already supported in portage. This is how it works today.

--kurt
Re: Gentoo Portage Attack Tree [ In reply to ]
simons at cryp
Nov 8, 2004, 5:15 AM
Post #3 of 4 (1454 views)
Permalink
Ervin Németh writes:

> How about this: the developers have to sign the files
> they upload, but do this before they upload them?

I believe that it is practically unfeasible to verify the
signatures of dozens of people which are spread over dozens
of different directories. By building the signatures into
Portage only, you require the user to have a working Gentoo
system before he can verify he has a _real_ Gentoo system.
When Portage runs the checks, it is too late. You have to be
able to verify the authenticity of your downloaded files
before you start the first executable you've downloaded.
That's why I am in favor of a simple, ordinary text file
which is GPG-signed and contains ordinary hashes.

Peter


--
gentoo-security@gentoo.org mailing list
Re: Re: Gentoo Portage Attack Tree [ In reply to ]
paranoid at gentoo
Nov 12, 2004, 12:00 AM
Post #4 of 4 (1453 views)
Permalink
On Mon, 8 Nov 2004, Peter Simons wrote:
> Ervin Németh writes:
>> How about this: the developers have to sign the files
>> they upload, but do this before they upload them?
>
> I believe that it is practically unfeasible to verify the
> signatures of dozens of people which are spread over dozens
> of different directories. By building the signatures into
> Portage only, you require the user to have a working Gentoo
> system before he can verify he has a _real_ Gentoo system.
> When Portage runs the checks, it is too late. You have to be
> able to verify the authenticity of your downloaded files
> before you start the first executable you've downloaded.
> That's why I am in favor of a simple, ordinary text file
> which is GPG-signed and contains ordinary hashes.

Before you have a Gentoo system, you need to download a Gentoo CD image,
or you need to get a Gentoo CD. The Gentoo CD images can be signed
themselves, so you can verify it before it is extracted.

After you've booted with the install image, it's too late - how do you
trust the software on the install disk, if you haven't checked it
already?

Is there a way you can install Gentoo without using an install image?
Well, I know one, but it basically would be 'download portage code,
check signature, install code, run code'. I don't see the problem. The
only way I'd see a problem here is if the user didn't have cryptographic
checking software already, in which case it isn't a problem, because the
user is trusting everything. (That is, there's nothing you can do to
assure them of the Gentoo package authenticity, so there's no need to
worry about it.)

Ed

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal