Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gentoo Updater: Find out if it passes the TUF Threat Model #10

Open
adrelanos opened this issue Dec 2, 2014 · 11 comments
Open

Gentoo Updater: Find out if it passes the TUF Threat Model #10

adrelanos opened this issue Dec 2, 2014 · 11 comments

Comments

@adrelanos
Copy link
Member

@adrelanos adrelanos commented Dec 2, 2014

The Update Framework (TUF) - Attacks and Weaknesses:
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
http://www.webcitation.org/6F7Io2ncN

(Made by similar people who created this research:
http://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html
which resulted as far as I understand in greatly improved package manager security in many distributions.)

Let's see how Gentoo scores there.

I am going to ask the TUF people, who are in my experience very friendly and helpful, for their opinion on their mailing list:
https://groups.google.com/forum/#!forum/theupdateframework

Your subscription request is pending.

Probably soon.

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Dec 2, 2014

http://devmanual.gentoo.org/general-concepts/manifest/ says ebuild signing is supported, but not yet mandatory.

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Dec 2, 2014

More info:
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=3#webrsync-gpg

Older forum topic:
http://forums.gentoo.org/viewtopic-p-6891626.html

Somehow confused me more than it helped. You know any more recent list of what has been implemented and what not?

@martinholovsky

This comment has been minimized.

Copy link

@martinholovsky martinholovsky commented Dec 2, 2014

Nope, I even ask Gentoo developers on meeting and outcome is that ebuilds are not signed now. If you like to I can try to contact some of them if there is any plan to improve this or we can raise it as feature request.

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Dec 2, 2014

Yes, please do that.

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Dec 2, 2014

It's also unclear to me how bad it is if ebuilds aren't signed. As long as the portage tree is signed and verified, it could be not an big issue, because then perhaps ebuilds are implicitly verified already (because maybe portage protects all the hash sums of all the files).

Best would be a list of attacks with comments if these are circumvented at the moment. (See TUF threat model.) With an overview, what advantage signed ebuilds would provide. Ideally a comparison table or so.

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Dec 15, 2014

Your subscription request is pending.

Probably soon.

Sorry for the delay. Got some issues with my mail account. It has been posted now and is in moderation queue.

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Dec 15, 2014

Here it is. They answered already.

Does Gentoo's updater pass the TUF threat model?:
https://groups.google.com/forum/#!topic/theupdateframework/g-xQWq5aKpU

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Dec 20, 2014

The answer to the original question of this ticket Does Gentoo's Updater pass TUF's threat model is probably no.

Quote Justin Cappos (references: professor; was involved in writing a paper that resulted in a grave improvement of package manager security. Probably a lot more great stuff, I am not even aware of. But these references are already sufficient for my point "reason enough to take him serious".):

I took a quick look and think they still have the same basic signature / metadata setup as before. They seem to be signing the package metadata (with a GPG key), but do not seem to prevent rollback attacks, timeliness attacks, or handle key compromises securely.

In my interpretation, this is a very important security issue. Even more so when updating over Tor. A man-in-the-middle could run a rollback (downgrade) attack, then exploit the downgraded, vulnerable software. No matter what great hardening stuff Gentoo does, as long as this isn't fixed, I'd rather avoid Gentoo for anything security critical.

Vladimir Diaz (TUF) said he's going to contact Gentoo developers. Maybe they're interested to fix this and this will fix itself in time.

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Jan 1, 2015

@martincmelik and I thought to solve this, one could modify emerge-webrsync or write an alternative to emerge-webrsync so it uses TUF.

emerge-webrsync source code:
https://github.com/gentoo/portage/blob/master/bin/emerge-webrsync

@adrelanos

This comment has been minimized.

Copy link
Member Author

@adrelanos adrelanos commented Feb 13, 2015

Tagging reported-upstream, because...

Vladimir Diaz (TUF) said he's going to contact Gentoo developers. Maybe they're interested to fix this and this will fix itself in time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.