[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 00-proposal-overview - gentoo-commits

From:	"Robin H. Johnson (robbat2)" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in users/robbat2/tree-signing-gleps: 00-proposal-overview
Date:	Thu, 09 Oct 2008 21:33:55
Message-Id:	`E1Ko38r-0008JI-O1@stork.gentoo.org`

1

robbat2     08/10/09 21:33:53

2

3

  Modified:             00-proposal-overview

4

  Log:

5

  Fix sentance structure, include reference to Cappos et al work and the existing signed HTTP snapshots.

6

7

Revision  Changes    Path

8

1.11                 users/robbat2/tree-signing-gleps/00-proposal-overview

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.11&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.11&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?r1=1.10&r2=1.11

13

14

Index: 00-proposal-overview

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview,v

17

retrieving revision 1.10

18

retrieving revision 1.11

19

diff -p -w -b -B -u -u -r1.10 -r1.11

20

--- 00-proposal-overview	13 Jul 2008 06:45:03 -0000	1.10

21

+++ 00-proposal-overview	9 Oct 2008 21:33:53 -0000	1.11

22

@@ -1,11 +1,7 @@

23

-TODO: 

24

-- Add mention of signed HTTP snapshots from 01

25

-- Add replay attacks from Cappos et al.

26

-

27

 GLEP: xx

28

 Title: Security of distribution of Gentoo software - Overview

29

-Version: $Revision: 1.10 $

30

-Last-Modified: $Date: 2008/07/13 06:45:03 $

31

+Version: $Revision: 1.11 $

32

+Last-Modified: $Date: 2008/10/09 21:33:53 $

33

 Author: Robin Hugh Johnson <robbat2@g.o>

34

 Status: Draft

35

 Type: Informational

36

@@ -96,8 +92,8 @@ are not maintained by Gentoo Infrastruct

37

 Attacks may be conducted against any of these entities. Obviously

38

 direct attacks against Upstream and Users are outside of the scope of

39

 this series of GLEPs as they are not in any way controlled or

40

-controllable by Gentoo - however attacks using Gentoo as a conduit (such

41

-as adding a payload at a mirror) must be considered.

42

+controllable by Gentoo - however attacks using Gentoo as a conduit

43

+(including malicous mirrors) must be considered.

44

45

 Processes

46

 ---------

47

@@ -141,6 +137,11 @@ by syncing from one of the community-pro

48

 protection against this class of attacks is very easy to implement with

49

 little added cost. 

50

51

+At the level of mirrors, addition of malicious content is not the only

52

+attack. As discussed by Cappos et al [C08a,C08b], an attacker may use

53

+exclusion and replay attacks, possibly only on a specific subset of

54

+user to extend the window of opportunity on another exploit.

55

+

56

 Security for Processes

57

 ------------------------

58

 Protection for process #1 can never be complete (without major

59

@@ -165,7 +166,9 @@ objective is actually much closer than i

60

 work has been completed for other things!. This is further discussed in

61

 [GLEPxx+1]. As this process has the most to gain in security, and the

62

 most immediate impact, it should be implemented before or at the same

63

-time as any changes to process #1.

64

+time as any changes to process #1. Security at this layer is already

65

+available in the signed daily snapshots, but we can extend it to cover

66

+the rsync mirrors as well.

67

68

 Requirements pertaining to and management of keys (OpenPGP or otherwise)

69

 is an issue that affects both processes, and is broken out into a

70

@@ -291,6 +294,17 @@ spelling, grammar, research (esp. tracki

71

 vulnerability that has been mentioned in past discussions, and

72

 integrating them in this overview).

73

74

+==========

75

+References

76

+==========

77

+

78

+[C08a] Cappos, J et al. (2008). "Package Management Security".

79

+    University of Arizona Technical Report TR08-02. Available online

80

+    from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf

81

+[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"

82

+    Available online at:

83

+    http://www.cs.arizona.edu/people/justin/packagemanagersecurity/

84

+

85

 Copyright

86

 =========

87

 Copyright (c) 2006 by Robin Hugh Johnson. This material may be

1	robbat2 08/10/09 21:33:53
2
3	Modified: 00-proposal-overview
4	Log:
5	Fix sentance structure, include reference to Cappos et al work and the existing signed HTTP snapshots.
6
7	Revision Changes Path
8	1.11 users/robbat2/tree-signing-gleps/00-proposal-overview
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.11&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.11&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?r1=1.10&r2=1.11
13
14	Index: 00-proposal-overview
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview,v
17	retrieving revision 1.10
18	retrieving revision 1.11
19	diff -p -w -b -B -u -u -r1.10 -r1.11
20	--- 00-proposal-overview 13 Jul 2008 06:45:03 -0000 1.10
21	+++ 00-proposal-overview 9 Oct 2008 21:33:53 -0000 1.11
22	@@ -1,11 +1,7 @@
23	-TODO:
24	-- Add mention of signed HTTP snapshots from 01
25	-- Add replay attacks from Cappos et al.
26	-
27	GLEP: xx
28	Title: Security of distribution of Gentoo software - Overview
29	-Version: $Revision: 1.10 $
30	-Last-Modified: $Date: 2008/07/13 06:45:03 $
31	+Version: $Revision: 1.11 $
32	+Last-Modified: $Date: 2008/10/09 21:33:53 $
33	Author: Robin Hugh Johnson <robbat2@g.o>
34	Status: Draft
35	Type: Informational
36	@@ -96,8 +92,8 @@ are not maintained by Gentoo Infrastruct
37	Attacks may be conducted against any of these entities. Obviously
38	direct attacks against Upstream and Users are outside of the scope of
39	this series of GLEPs as they are not in any way controlled or
40	-controllable by Gentoo - however attacks using Gentoo as a conduit (such
41	-as adding a payload at a mirror) must be considered.
42	+controllable by Gentoo - however attacks using Gentoo as a conduit
43	+(including malicous mirrors) must be considered.
44
45	Processes
46	---------
47	@@ -141,6 +137,11 @@ by syncing from one of the community-pro
48	protection against this class of attacks is very easy to implement with
49	little added cost.
50
51	+At the level of mirrors, addition of malicious content is not the only
52	+attack. As discussed by Cappos et al [C08a,C08b], an attacker may use
53	+exclusion and replay attacks, possibly only on a specific subset of
54	+user to extend the window of opportunity on another exploit.
55	+
56	Security for Processes
57	------------------------
58	Protection for process #1 can never be complete (without major
59	@@ -165,7 +166,9 @@ objective is actually much closer than i
60	work has been completed for other things!. This is further discussed in
61	[GLEPxx+1]. As this process has the most to gain in security, and the
62	most immediate impact, it should be implemented before or at the same
63	-time as any changes to process #1.
64	+time as any changes to process #1. Security at this layer is already
65	+available in the signed daily snapshots, but we can extend it to cover
66	+the rsync mirrors as well.
67
68	Requirements pertaining to and management of keys (OpenPGP or otherwise)
69	is an issue that affects both processes, and is broken out into a
70	@@ -291,6 +294,17 @@ spelling, grammar, research (esp. tracki
71	vulnerability that has been mentioned in past discussions, and
72	integrating them in this overview).
73
74	+==========
75	+References
76	+==========
77	+
78	+[C08a] Cappos, J et al. (2008). "Package Management Security".
79	+ University of Arizona Technical Report TR08-02. Available online
80	+ from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf
81	+[C08b] Cappos, J et al. (2008). "Attacks on Package Managers"
82	+ Available online at:
83	+ http://www.cs.arizona.edu/people/justin/packagemanagersecurity/
84	+
85	Copyright
86	=========
87	Copyright (c) 2006 by Robin Hugh Johnson. This material may be

Gentoo Archives: gentoo-commits