Gentoo Archives: gentoo-portage-dev

From: Vladimir Diaz <vladimir.v.diaz@×××××.com>
To: gentoo-portage-dev@l.g.o
Cc: Justin Cappos <jcappos@×××.edu>, Patrick Schleizer <patrick-mailinglists@××××××.org>, adrelanos grayson <adrelanos@××××××.net>
Subject: [gentoo-portage-dev] Portage and Update Security
Date: Tue, 10 Mar 2015 21:15:38
Message-Id: CAOyQwLi_9W9fV0C3h5GK+ubRUzEC7=xbEsHp_8L4=5UCeaxmWQ@mail.gmail.com
Hi,

I am a developer in the Secure Systems Lab at NYU.  Our lab has
collaborated with popular software update systems in the open-source
community, including APT, yum, and YaST, to address security problems.
More recently, we have been working on a flexible security framework
co-developed with the Tor project that can be easily added to software
updaters to transparently solve many of the known security flaws we have
uncovered in software updaters.  We would like to work with The Portage
Development Project to better secure the Portage distribution system.

TUF
<https://github.com/theupdateframework/tuf#a-framework-for-securing-software-update-systems>
(The Update Framework) is a library that can be added to an existing
software update system and is designed to update files in a more secure
manner.  Many software updaters verify software updates with cryptographic
signatures and hash functions, but they typically fail to protect against
malicious attacks that target the metadata and update files presented to
clients.  A rollback attack is one such example, where an attacker tricks a
client into installing older files than those the client has already seen
(these older files may be vulnerable versions that have since been fixed).
A full list of attacks and weaknesses the framework is designed to address
is provided here
<https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md#security>
.

Our website <http://theupdateframework.com/index.html> includes more
information about TUF, including: papers
<https://github.com/theupdateframework/tuf/tree/develop/docs/papers> and a
specification
<https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt>.
If you want to see how an existing project integrates TUF, there is a
standards track proposal
<https://github.com/pypa/interoperability-peps/blob/master/pep-0458-tuf-online-keys.rst#abstract>
to the Python community that you can review.  A more rigorous proposal that
requires more administrative work on the repository, but provides more
security protections, is also available
<https://www.python.org/dev/peps/pep-0480/>.

We were thinking of submitting a pull request that shows how such an
integration would work.  So there hopefully won't be much leg work on your
end apart from deciding how the system should be configured (key storage,
roles, etc.).

Would a pull request be of interest?  Is there anything you'd like us to
say more about?

Thanks,
Vlad

P.S.
There are Informational <http://wiki.gentoo.org/wiki/GLEP:57> and Standards
Track <http://wiki.gentoo.org/wiki/GLEP:58> GLEPs that reference our work
and the security issues that our project addresses, but there hasn't been
much recent activity on these proposals.


--
vladimir.v.diaz@×××××.com
PGP fingerprint = ACCF 9DCA 73B9 862F 93C5  6608 63F8 90AA 1D25 3935
--

Replies

Subject Author
Re: [gentoo-portage-dev] Portage and Update Security "Rick \\\"Zero_Chaos\\\" Farina" <zerochaos@g.o>
Re: [gentoo-portage-dev] Portage and Update Security Zac Medico <zmedico@g.o>
Re: [gentoo-portage-dev] Portage and Update Security Alec Warner <antarus@g.o>