1 |
robbat2 08/10/09 21:33:53 |
2 |
|
3 |
Modified: 00-proposal-overview |
4 |
Log: |
5 |
Fix sentance structure, include reference to Cappos et al work and the existing signed HTTP snapshots. |
6 |
|
7 |
Revision Changes Path |
8 |
1.11 users/robbat2/tree-signing-gleps/00-proposal-overview |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.11&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?rev=1.11&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview?r1=1.10&r2=1.11 |
13 |
|
14 |
Index: 00-proposal-overview |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/users/robbat2/tree-signing-gleps/00-proposal-overview,v |
17 |
retrieving revision 1.10 |
18 |
retrieving revision 1.11 |
19 |
diff -p -w -b -B -u -u -r1.10 -r1.11 |
20 |
--- 00-proposal-overview 13 Jul 2008 06:45:03 -0000 1.10 |
21 |
+++ 00-proposal-overview 9 Oct 2008 21:33:53 -0000 1.11 |
22 |
@@ -1,11 +1,7 @@ |
23 |
-TODO: |
24 |
-- Add mention of signed HTTP snapshots from 01 |
25 |
-- Add replay attacks from Cappos et al. |
26 |
- |
27 |
GLEP: xx |
28 |
Title: Security of distribution of Gentoo software - Overview |
29 |
-Version: $Revision: 1.10 $ |
30 |
-Last-Modified: $Date: 2008/07/13 06:45:03 $ |
31 |
+Version: $Revision: 1.11 $ |
32 |
+Last-Modified: $Date: 2008/10/09 21:33:53 $ |
33 |
Author: Robin Hugh Johnson <robbat2@g.o> |
34 |
Status: Draft |
35 |
Type: Informational |
36 |
@@ -96,8 +92,8 @@ are not maintained by Gentoo Infrastruct |
37 |
Attacks may be conducted against any of these entities. Obviously |
38 |
direct attacks against Upstream and Users are outside of the scope of |
39 |
this series of GLEPs as they are not in any way controlled or |
40 |
-controllable by Gentoo - however attacks using Gentoo as a conduit (such |
41 |
-as adding a payload at a mirror) must be considered. |
42 |
+controllable by Gentoo - however attacks using Gentoo as a conduit |
43 |
+(including malicous mirrors) must be considered. |
44 |
|
45 |
Processes |
46 |
--------- |
47 |
@@ -141,6 +137,11 @@ by syncing from one of the community-pro |
48 |
protection against this class of attacks is very easy to implement with |
49 |
little added cost. |
50 |
|
51 |
+At the level of mirrors, addition of malicious content is not the only |
52 |
+attack. As discussed by Cappos et al [C08a,C08b], an attacker may use |
53 |
+exclusion and replay attacks, possibly only on a specific subset of |
54 |
+user to extend the window of opportunity on another exploit. |
55 |
+ |
56 |
Security for Processes |
57 |
------------------------ |
58 |
Protection for process #1 can never be complete (without major |
59 |
@@ -165,7 +166,9 @@ objective is actually much closer than i |
60 |
work has been completed for other things!. This is further discussed in |
61 |
[GLEPxx+1]. As this process has the most to gain in security, and the |
62 |
most immediate impact, it should be implemented before or at the same |
63 |
-time as any changes to process #1. |
64 |
+time as any changes to process #1. Security at this layer is already |
65 |
+available in the signed daily snapshots, but we can extend it to cover |
66 |
+the rsync mirrors as well. |
67 |
|
68 |
Requirements pertaining to and management of keys (OpenPGP or otherwise) |
69 |
is an issue that affects both processes, and is broken out into a |
70 |
@@ -291,6 +294,17 @@ spelling, grammar, research (esp. tracki |
71 |
vulnerability that has been mentioned in past discussions, and |
72 |
integrating them in this overview). |
73 |
|
74 |
+========== |
75 |
+References |
76 |
+========== |
77 |
+ |
78 |
+[C08a] Cappos, J et al. (2008). "Package Management Security". |
79 |
+ University of Arizona Technical Report TR08-02. Available online |
80 |
+ from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
81 |
+[C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
82 |
+ Available online at: |
83 |
+ http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
84 |
+ |
85 |
Copyright |
86 |
========= |
87 |
Copyright (c) 2006 by Robin Hugh Johnson. This material may be |