[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
36/66: programming-2022: Clarify intro commits and downgrade protection.
From: |
Ludovic Courtès |
Subject: |
36/66: programming-2022: Clarify intro commits and downgrade protection. |
Date: |
Wed, 29 Jun 2022 11:32:01 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 97b4ebe6e7f7b5beafa3f0e2c65a370c8e08738b
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sat Jan 29 11:36:24 2022 +0100
programming-2022: Clarify intro commits and downgrade protection.
* doc/programming-2022/security.sbib: Add reference.
* doc/programming-2022/supply-chain.skb: Tweak wording.
(Establishing Trust): Clarify that only descendants of the introductory
commits are valid, as per <https://issues.guix.gnu.org/53608>.
(Downgrade Attacks): Mention branch teleport attacks that this does not
protect against.
---
doc/programming-2022/security.sbib | 7 ++++
doc/programming-2022/supply-chain.skb | 73 +++++++++++++++++++++--------------
2 files changed, 52 insertions(+), 28 deletions(-)
diff --git a/doc/programming-2022/security.sbib
b/doc/programming-2022/security.sbib
index 1a283e9..500966e 100644
--- a/doc/programming-2022/security.sbib
+++ b/doc/programming-2022/security.sbib
@@ -289,6 +289,13 @@ Thayer")
(year "2021")
(url "https://github.com/cryptidtech/git-cryptography-protocol"))
+(misc devos2021:diverted
+ (author "Maxime Devos")
+ (year "2021")
+ (month "May")
+ (url "https://issues.guix.gnu.org/48146")
+ (title "Getting diverted to non-updated branches: a limitation of the
authentication mechanism?"))
+
(article peisert2021:solarwinds
(author "S. Peisert, B. Schneier, H. Okhravi, F. Massacci, T. Benzel, C.
Landwehr, M. Mannan, J. Mirkovic, A. Prakash, J. Michael")
(journal "IEEE Security & Privacy")
diff --git a/doc/programming-2022/supply-chain.skb
b/doc/programming-2022/supply-chain.skb
index 6dac3cb..2630928 100644
--- a/doc/programming-2022/supply-chain.skb
+++ b/doc/programming-2022/supply-chain.skb
@@ -425,8 +425,8 @@ root of the package dependency graph, we have the GNU C
Library (glibc),
the GNU Compiler Collection (GCC), the GNU Binary Utilities (Binutils),
and the GNU command-line utilities (Coreutils, grep, sed, Findutils,
etc.)—all this written in C and C++. How does one build the first GCC
-though? Historically, distributions such as Debian would rely on
-previously-built binaries to build the new one: when GCC is upgraded, it
+though? Historically, distributions such as Debian would informally rely on
+previously-built binaries to build the new ones: when GCC is upgraded, it
is built using GCC as available in the previous version of the
distribution.])
@@ -487,7 +487,7 @@ question has to be approached from a different angle.])
(p [Guix consists of source code for the tools as well as package
definitions that make up the GNU/Linux distribution. All this code is
-maintained under version control in a Git repository,(footnote (ref :url
"https://git-scm.com")).
+maintained under version control in a Git repository.
To update Guix
and its package collection, users run ,(tt [guix pull])—the equivalent
of ,(tt [apt update]) in Debian. When users run ,(tt [guix pull]), what
@@ -680,7 +680,7 @@ authorization invariant?])
(image :file "images/commit-graph-intro.pdf"))
(p [We solve this bootstrapping issue by defining ,(emph [channel
introductions]).
-Previously, one would identify a channel simply by its URL. Now, when
+Previously, one would identify a channel solely by its URL. Now, when
introducing a channel to users, one needs to provide an additional piece
of information: the first commit where the authorization invariant
holds, and the fingerprint of the OpenPGP key used to sign that commit
@@ -688,16 +688,18 @@ holds, and the fingerprint of the OpenPGP key used to
sign that commit
but it provides an additional check).])
(p [Consider the commit graph on ,(numref :text [Figure] :ident
-"fig-commit-graph-intro"). On this figure, ,(it [B]) is the introduction
commit. Its
-ancestors, such as ,(it [A]), are considered authentic. To authenticate, ,(it
[C]),
-,(it [D]), ,(it [E]), and ,(it [F]), we check the authorization invariant.])
+"fig-commit-graph-intro"). On this figure, ,(it [B]) is the ,(emph
[introductory commit]). Its
+ancestors, such as ,(it [A]), are considered authentic. To authenticate ,(it
[C]),
+,(it [D]), ,(it [E]), and ,(it [F]), we check the authorization
+invariant. Commits ,(it [G]) and ,(it [H]) are considered inauthentic
+because they are not descendants of the introductory commit, ,(it [B]).])
(p [As always when it comes to establishing trust, distributing
channel introductions is very sensitive. The introduction of the
official ,(tt [guix]) channel is built into Guix. Users obtain it when
-they install Guix the first time. Installation instructions instruct
+they install Guix the first time. Installation instructions tell
users to verify the provided OpenPGP detached signature on the tarball
-or ISO installation image they download. This reduces chances of
+or ISO installation image they download. This reduces the chances of
getting the “wrong” Guix, following a trust-on-first-use (TOFU)
approach.])
@@ -741,18 +743,16 @@ made by someone who is not in ,(tt
[.guix-authorizations]). To address
this, someone publishing a fork advertises a new introduction for their
fork, pointing to a different starting commit.])
- (p [Last, channel introductions give a ,(emph [point of
+ ;; XXX: Pointless paragraph?
+ #;(p [Last, channel introductions give a ,(emph [point of
reference]). Assume an attacker attempts a ,(emph [teleport attack]) by
modifying branch references on the server hosting the official
-repository ,(ref :bib 'torresarias2016:omitting). They could change
-branch references so they point to unrelated commits, such as commits on
-an “orphan” branch that do not share any history with the “official”
-branches, but in that case, authentication will fail as it stumbles upon
-the first unauthorized commit made by the attacker. In ,(numref :text
-[Figure] :ident "fig-commit-graph-intro"), the red branch with commits
-,(it [G]) and ,(it [H]) cannot be authenticated because it starts from
-,(it [A]), which lacks ,(tt [.guix-authorizations]) and thus fails the
-authorization invariant.]))
+repository so they point to commits of their choice ,(ref :bib
+'torresarias2016:omitting). For such a change to (potentially) go
+undetected, the attacker must choose commits that (1) are descendants of
+the introductory commit, and (2) satisfy the authorization invariant.
+In other words, the attacker may only divert users to a development
+branch published by the project developers.]))
(chapter :title [Downgrade Attacks] :ident "downgrade"
@@ -772,22 +772,24 @@ describe]) command prints that information:]
(prog :class "small" :line #f [
$ guix describe
-Generation 149 Jun 17 2020 20:00:14 (current)
- guix 8b1f7c0
+Generation 201 Jan 12 2022 18:15:13 (current)
+ guix 0052c3b
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
- commit: 8b1f7c03d239ca703b56f2a6e5f228c79bc1857e
+ commit: 0052c3b0458fba32920a1cfb48b8311429f0d6b5
])
-[Thus, ,(tt [guix pull]), once it has retrieved the latest commit of the
-selected branch, can verify that it is doing a ,(emph [fast-forward update]) in
+[In other words, the ,(tt [guix]) command being used was built
+from commit ,(tt [0052c3b…]) of the official Git repository.
+Once ,(tt [guix pull]) has retrieved the latest commit of the
+selected branch, it can thus verify that it is doing a ,(emph [fast-forward
update]), in
Git parlance—just like ,(tt [git pull]) does, but compared to the
previously-deployed Guix. A fast-forward update is when the new commit
is a descendant of the current commit. Going back to the figure above,
going from commit ,(it [A]) to commit ,(it [F]) is a fast-forward update, but
going
from ,(it [F]) to ,(it [A]) or from ,(it [D]) to ,(it [E]) is not.])
- (p [Not doing a fast-forward update would mean that the user is
+ (p [Doing a non-fast-forward update would mean that the user is
deploying an older version of the Guix currently used, or deploying an
unrelated version from another branch. In both cases, the user is at
risk of ending up installing older, vulnerable software. By default
@@ -795,6 +797,21 @@ risk of ending up installing older, vulnerable software.
By default
protecting from roll-backs. Users who understand the risks can override
that by passing ,(tt [--allow-downgrades]).])
+ (p [This does not protect against all forms of ,(emph [branch
+teleport attacks]) as described by Torres-Arias ,(emph [et al.]) ,(ref
+:bib 'torresarias2016:omitting). Specifically, an attacker with access
+to the server hosting the Git repository could modify the reference of
+the ,(tt [master]) branch so that it points to an existing development
+branch that derives from ,(tt [master]). Users running ,(tt [guix
+pull]) would upgrade to that branch without problems—it is a
+fast-forward update. Development branches are usually infrequently
+merged with ,(tt [master]) and do not receive package security updates
+very often; consequently this attack could lead users to install
+outdated packages ,(ref :bib 'devos2021:diverted). Users may not notice
+the attack because, as long as the branch is active, ,(tt [guix pull])
+would still retrieve new changes. However, it would be difficult to
+hide from developers, which makes the attack less attractive.])
+
(p [Downgrade prevention has been extended to system deployment.
When deploying a system with ,(tt [guix system reconfigure]) or a fleet
or systems with ,(tt [guix deploy]), the currently used channels are
@@ -1021,11 +1038,11 @@ that commit. Additional options allow users to
specify, for instance,
the name of the branch where OpenPGP keys are to be found.])
(p [This command can also authenticate ,(emph [historical
-commits])—signed commits that were made ,(emph [before]) a ,(tt
+commits])—signed commits made ,(emph [before]) a ,(tt
[.guix-authorizations]) file was introduced in the repository. In that
mode, users must provide an authorization file that represents the
static set of authorizations for all those commits whose parent(s) lack
-,(tt [.guix-authorizations]). We found it useful to retroactively
+,(tt [.guix-authorizations]). We found it useful to retroactively
authenticate the
history of the Guix repository, where commit signing became compulsory
several years before this authentication mechanism was in place.])
@@ -1035,7 +1052,7 @@ users could be gathered in a single place, once for all,
such that users
do not have to specify them every time. Communicating introductions
could also be simplified: the two twenty-byte strings above could be
represented as a single 56-character base64 string, or as a QR code.
-For broad acceptance, the best option would be to integrate the
+For broad adoption, the best option would be to integrate the
functionality in Git proper.]))
(section :title [Evaluation]
- 10/66: ccs-2021: Improve "Rationale" section., (continued)
- 10/66: ccs-2021: Improve "Rationale" section., Ludovic Courtès, 2022/06/29
- 13/66: ccs-2021: Proof-read and tweak., Ludovic Courtès, 2022/06/29
- 15/66: ccs-2021: Typos, hyphenation, and other improvements., Ludovic Courtès, 2022/06/29
- 14/66: ccs-2021: Update ACM categories., Ludovic Courtès, 2022/06/29
- 16/66: ccs-2021: Tweak "Related Work"., Ludovic Courtès, 2022/06/29
- 17/66: ccs-2021: Give example authentication throughput., Ludovic Courtès, 2022/06/29
- 18/66: ccs-2021: Prepare for ICSE resubmission., Ludovic Courtès, 2022/06/29
- 19/66: icse-2022: Add CCS reviews., Ludovic Courtès, 2022/06/29
- 20/66: icse-2022: Mention sigstore., Ludovic Courtès, 2022/06/29
- 35/66: programming-2022: Mention prior work upfront in the intro., Ludovic Courtès, 2022/06/29
- 36/66: programming-2022: Clarify intro commits and downgrade protection.,
Ludovic Courtès <=
- 44/66: cise-2022: Remove unused procedures., Ludovic Courtès, 2022/06/29
- 45/66: programming-2022: Add diff document., Ludovic Courtès, 2022/06/29
- 47/66: programming-2022: Add README.md for artifact evaluation., Ludovic Courtès, 2022/06/29
- 22/66: icse-2022: Cite SolarWinds and Executive Order., Ludovic Courtès, 2022/06/29
- 23/66: icse-2022: Address CCS reviewer comments., Ludovic Courtès, 2022/06/29
- 26/66: icse-2022: Fix typos., Ludovic Courtès, 2022/06/29
- 38/66: programming-2022: Tweak dot options., Ludovic Courtès, 2022/06/29
- 33/66: programming-2022: Augment abstract., Ludovic Courtès, 2022/06/29
- 42/66: cise-2022: Improve a couple of references., Ludovic Courtès, 2022/06/29
- 49/66: programming-2022: Fix typos., Ludovic Courtès, 2022/06/29