bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GPG-signed commits: a new exploit to consider

From: Jim Hyslop
Subject: Re: GPG-signed commits: a new exploit to consider
Date: Sat, 24 Sep 2005 12:16:18 -0400
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) 
Derek Price wrote:

Jim Hyslop wrote:



There is a new repository attack that signed commits introduce. We
should consider, this attack, if only to document it and consider best
practises on detecting and reducing the risk.

The basic attack is to tamper with the GPG signature, with the goal of
deliberately causing signature validation to fail. There are a couple
of scenarios I can think of immediately:

A mischievous attacker simply wants to ruffle some feathers. No actual
harm is done, it's simply a nuisance. Everything could grind to a halt
until the most recent backup is restored (would this be classifed as a
denial-of-service attack?). As a variation, a malicious hacker could
employ this 'mischief attack' repeatedly, in the hopes that eventually
people will ignore the error. Once that happens, the attacker can then
slip in an actual exploit and users will assume it's the same annoyance.




I'm not sure where you are going with this one.

[...]
Agreed, the tampering will be noticed. That's the whole point of the mischief attack: to make everyone _think_ the repository's been hacked, when it really hasn't. To watch the CVS admins scramble, and users panic. Some people would see this as quite fun (to quote Ford Prefect, "rather childish, really").
The malicious attacker wants to be the wolf in the story of the boy who cried wolf.
Again, I'm not sure if these attacks can be easily prevented, but it may be worth noting them so inexperienced CVS administrators (of which we see a lot - "HELP! I got tossed into this job, how do I {...}") know how to respond. 


One problem with the loginfo hook is that I was planning on storing
binary GPG-signatures when possible.  They are smaller and would, at the
least, look ugly on the command line, and I'm not sure what embedded
NULs would do.  There would be some overhead to ASCII-Armoring the
signatures for passage to loginfo.
I would suspect that the overhead of ASCII-armouring would be fairly small compared to the overhead of verifying the signature. By the way, has anyone attempted to project or guess at the overhead adding the basic signing will add? 

--
Jim
reply via email to
[Prev in Thread] Current Thread [Next in Thread]