1 |
On Fri, 06 Mar 2015 10:20:27 -0500 |
2 |
"Rick \"Zero_Chaos\" Farina" <zerochaos@g.o> wrote: |
3 |
|
4 |
> On 03/06/15 08:53, Mark Kubacki wrote: |
5 |
> > 2015-03-06 1:56 GMT+01:00 Rick "Zero_Chaos" Farina |
6 |
> > <zerochaos@g.o>: |
7 |
> >> |
8 |
> >> tl;dr webrsync-gpg is a built in feature of the package manager |
9 |
> >> which OPTIONALLY adds a significant amount of security against the |
10 |
> >> attacks described on your website. This is not currently the |
11 |
> >> default setting, however, it is described in many hardening guides |
12 |
> >> for gentoo and widely used among the security conscious. |
13 |
> > |
14 |
> > Without numbers backing that up this is speculation. |
15 |
> |
16 |
> 5,7,16,38,42. There are some numbers to back up what I'm saying. I |
17 |
> have been doing security work for over 15 years and I'm a professional |
18 |
> pen-tester. If you want to read the portage code to verify what I |
19 |
> said that's fine, but I'm reasonably confident I distilled what |
20 |
> portage does into english. |
21 |
> > |
22 |
> > Given the default settings (without webrsync-gpg)…: |
23 |
> > |
24 |
> >> (8) Wrong software installation. |
25 |
> > |
26 |
> > Observe the DNS requests for the rsync- or webrsync mirror. They're |
27 |
> > not encrypted and give you a nice heads-up. |
28 |
> |
29 |
> Yup, dns is basically never encrypted, this is not new information or |
30 |
> a new attack. |
31 |
> > |
32 |
> > A. (data in transit) It's almost never HTTPS and/or without |
33 |
> > authentication, so you can easily proceed to hijacking the |
34 |
> > connection. |
35 |
> > - Primed that way (DNS) insert a new rule into a router (or |
36 |
> > nameserver) along the path or within the DC to redirect the |
37 |
> > transaction. (See "quantum insert".) |
38 |
> |
39 |
> Yup, this was discussed, however, it doesn't matter, and I'll explain |
40 |
> why. The portage tree itself is a tarball with a signature attached, |
41 |
> that means that short of coercion, the information in the portage tree |
42 |
> should be correct (in the case of webrsync-gpg). The Manifest file |
43 |
> for each package contains a sha256, sha512, and whirlpool hash for |
44 |
> each file (including the source tarballs which would be downloaded to |
45 |
> install) and ALL of them must match. Good luck modifying the file |
46 |
> and getting all three hashs to match, I would suggest that is |
47 |
> statistically impossible. Yes, an attacker could easily pass any file |
48 |
> they like, but portage would fail to validate it and refuse to |
49 |
> continue. |
50 |
> > |
51 |
> > B. (data at rest) Bribe or coerce the owner of the (portage tree) |
52 |
> > mirror. Manifests and ebuilds are not centrally signed and there is |
53 |
> > no authoritative "signing transparency"/record (see "certificate |
54 |
> > transparency"). |
55 |
> > |
56 |
> Only the portage tree is centrally signed, and currently the manifest |
57 |
> signatures aren't even verified automatically at this point. Yes, I |
58 |
> completely agree that a gentoo dev could be coerced or bribed to add |
59 |
> malicious code to the repository which would then get signed and |
60 |
> shipped with the secure tarball. This avenue of attack is very |
61 |
> difficult to stop. If would be cool to have some kind of automated |
62 |
> check for malicious codes, however, I doubt it would be all that |
63 |
> effective. |
64 |
> |
65 |
> -Zero |
66 |
> |
67 |
|
68 |
I have refrained from replying till now because I don't consider myself |
69 |
qualified to answer security issues like these. |
70 |
|
71 |
But, for the few holes there are currently in portage's security |
72 |
methods, there are already efforts underway to plug them. Using a new |
73 |
project called gentoo-keys (a gpg-key management app) portage will be |
74 |
able to independently able to verify the gpg signed Manifest |
75 |
files provided with each package. So, even if the user does not use |
76 |
the gpg signed emerge-webrsync method. There will still be an |
77 |
alternate authentication method on the package level. There are other |
78 |
steps being taken as well in other areas of the tree handling and |
79 |
building as well, but portage verifying the Manifest file is the next |
80 |
step being taken with gentoo-keys. |
81 |
|
82 |
What Zero did not mention was that a user can independently verify the |
83 |
gpg signature of each Manifest file now. The developer gpg keys are |
84 |
listed and available. The gentoo-keys project is just automating the |
85 |
whole process. |
86 |
|
87 |
-- |
88 |
Brian Dolbec <dolsen> |