[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

10/66: ccs-2021: Improve "Rationale" section.

From: Ludovic Courtès
Subject: 10/66: ccs-2021: Improve "Rationale" section.
Date: Wed, 29 Jun 2022 11:31:58 -0400 (EDT)

civodul pushed a commit to branch master
in repository maintenance.

commit b65de521258726d5db232b615eafa763f37afd7c
Author: Ludovic Courtès <>
AuthorDate: Mon May 3 12:19:00 2021 +0200

    ccs-2021: Improve "Rationale" section.
 doc/ccs-2021/security.sbib    |  6 ++++++
 doc/ccs-2021/supply-chain.skb | 35 +++++++++++++++++++++--------------
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/doc/ccs-2021/security.sbib b/doc/ccs-2021/security.sbib
index edc7ab3..4f432a1 100644
--- a/doc/ccs-2021/security.sbib
+++ b/doc/ccs-2021/security.sbib
@@ -157,6 +157,12 @@ Thayer")
   (year "2021")
+(misc fsf2010:compromise
+  (author "Free Software Foundation")
+  (title "Savannah and Downtime")
+  (year "2010")
+  (url "";))
 (defun skr-from-bibtex ()
   "Vaguely convert the BibTeX snippets after POINT to SBibTeX."
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index 0da1814..d1c0b53 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -314,18 +314,26 @@ maintained under version control in a Git repository.  To 
update Guix
 and its package collection, users run ,(tt [guix pull])—the equivalent
 of ,(tt [apt update]) in Debian.  When users run ,(tt [guix pull]), what
 happens behind the scene is equivalent to ,(tt [git clone]) or ,(tt [git
-pull]).  There are many ways this can go wrong.  An attacker can trick
-the user into pulling code from an alternate repository that contains
-malicious code or definitions for backdoored packages.  This is made
-more difficult by the fact that code is fetched over HTTPS from Savannah
-by default.  If Savannah is compromised as happened in 2010,(footnote
-an attacker can push code to the Guix repository, which everyone would
-pull.  The change might even go unnoticed and remain in the repository
-forever.  An attacker with access to Savannah can also reset the main
-branch to an earlier revision, leading users to install outdated
-software with known vulnerabilities—a ,(emph [downgrade attack]).  These
-are the kind of attacks we want to protect against.]))
+      (p [There are several ways this update process can lead users to
+run malicious code.  An attacker could trick the user into connecting to
+an alternate repository that contains malicious code or definitions for
+backdoored packages.  This is made more difficult by the fact that code
+is fetched over HTTPS by default, which allows clients to authenticates
+the server they are connecting to.  However, server authentication is of
+no use when the server hosting the repository is compromised, as
+happened to GNU’s Savannah in 2010 ,(ref :bib 'fsf2010:compromise).])
+      (p [An attacker who gained access to the server hosting the Guix
+repository with can push code, which every user would then pull.  The
+change might even go unnoticed and remain in the repository forever.
+They may also reset the main branch to an earlier revision, leading
+users to install outdated software with known vulnerabilities—a ,(emph
+[downgrade attack]); the attacker may also change the main branch
+reference so it points to a different branch, containing new malicious
+code—a ,(emph [teleport attack]) ,(ref :bib 'torresarias2016:omitting).
+These are the kind of attacks we want to protect against.]))
    (chapter :title [Authenticating Git Checkouts]
       :ident "authenticating"
@@ -351,8 +359,7 @@ by their cryptographic content hash (SHA-1); the contents 
of a revision,
 ,(it [trees]) in Git parlance, as well as all other kind of data stored
 in a Git repository, are all content-addressed.])
-      (p [Git supports ,(emph [signed commits]),(footnote
-[]).  A signed
+      (p [Git supports ,(emph [signed commits]).  A signed
 commit includes an additional header containing as ASCII-armored OpenPGP
 signature computer over the other headers of the commit.  Checkout
 authentication requires cryptographically signed commits.  By signing a

reply via email to

[Prev in Thread] Current Thread [Next in Thread]