/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log hash of each package going to be installed during template build #2524

Closed
marmarek opened this Issue Dec 17, 2016 · 6 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@marmarek @andrewdavidwong @tasket
@marmarek
Member

marmarek commented Dec 17, 2016

Currently template build process rely on digital signature verification of all downloaded components. This is expected to be done by appropriate package manager. But attacker who control distribution signing key, or found a bug in signature verification code (like CVE-2016-1252) may try to perform targeted attack against specifically template build process. Currently we mitigate this kind of targeted attacks by downloading all the components through tor. This force the attacker to expose infected packages to wider community to have successful attack, but also increase the risk of being caught.
We'd like to extend this process by logging hash of each downloaded package, before it has a chance to compromise logging component itself (so, before being extracted, before executing any script from inside of it). Thanks to #2023 we may have reasonably protected append-only build log of templates.
The missing part is actual logging the hashes. This should be implemented by each builder plugin separately, as it is specific to package manager running there.

@marmarek marmarek added C: builder enhancement P: major labels Dec 17, 2016

@marmarek marmarek added this to the Release 4.0 milestone Dec 17, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 17, 2016

Member

I've implemented this for Debian already:

Example build log: https://raw.githubusercontent.com/QubesOS/build-logs/master/release/release_2016-12-17_16-33-43

Other distributions (at least Fedora) still pending.
Member

marmarek commented Dec 17, 2016

I've implemented this for Debian already:

Example build log: https://raw.githubusercontent.com/QubesOS/build-logs/master/release/release_2016-12-17_16-33-43

Other distributions (at least Fedora) still pending.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Dec 18, 2016

Member

This is an excellent idea.

  • Could it be extended to apply to packages that users install in templates?

  • Could it be paired with a system that uploads the hashes somewhere (if the user opts in), so that everyone's hashes can be compared automatically?
Member

andrewdavidwong commented Dec 18, 2016
edited
Edited 1 time
  • @andrewdavidwong andrewdavidwong edited Dec 18, 2016 (most recent)

This is an excellent idea.

  • Could it be extended to apply to packages that users install in templates?

  • Could it be paired with a system that uploads the hashes somewhere (if the user opts in), so that everyone's hashes can be compared automatically?
@tasket

This comment has been minimized.

Show comment
Hide comment
@tasket

tasket Jan 6, 2017

I realize its not the only reason to have a logging function while building templates, but isn't CVE-2016-1252 about a bug in NTP? The fact that OpenSSL was involved seems tangential. It does not refer to verification code contained within a crypto tool and has nothing to do with GPG.

I mention this because Andrew referred to this issue in qubes-devel as inspiration for a hash-based scheme for dom0 updates about which I have reservations.

tasket commented Jan 6, 2017

I realize its not the only reason to have a logging function while building templates, but isn't CVE-2016-1252 about a bug in NTP? The fact that OpenSSL was involved seems tangential. It does not refer to verification code contained within a crypto tool and has nothing to do with GPG.

I mention this because Andrew referred to this issue in qubes-devel as inspiration for a hash-based scheme for dom0 updates about which I have reservations.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 7, 2017

Member

but isn't CVE-2016-1252 about a bug in NTP?

No, it's apt bug: https://security-tracker.debian.org/tracker/CVE-2016-1252
Member

marmarek commented Jan 7, 2017

but isn't CVE-2016-1252 about a bug in NTP?

No, it's apt bug: https://security-tracker.debian.org/tracker/CVE-2016-1252
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 7, 2017

Member

I realize its not the only reason to have a logging function while building templates, but isn't CVE-2016-1252 about a bug in NTP? The fact that OpenSSL was involved seems tangential. It does not refer to verification code contained within a crypto tool and has nothing to do with GPG.

As Marek said, it's the recent APT bug for which we published QSB 28.
Member

andrewdavidwong commented Jan 7, 2017
edited
Edited 1 time
  • @andrewdavidwong andrewdavidwong edited Jan 7, 2017 (most recent)

I realize its not the only reason to have a logging function while building templates, but isn't CVE-2016-1252 about a bug in NTP? The fact that OpenSSL was involved seems tangential. It does not refer to verification code contained within a crypto tool and has nothing to do with GPG.

As Marek said, it's the recent APT bug for which we published QSB 28.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 13, 2017

Member

Done for Fedora too.
Member

marmarek commented Jul 13, 2017

Done for Fedora too.

@marmarek marmarek closed this Jul 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment