|
From: | Jim Hyslop |
Subject: | Re: GPG-signed commits: a new exploit to consider |
Date: | Sat, 24 Sep 2005 12:16:18 -0400 |
User-agent: | Mozilla Thunderbird 1.0.6 (Windows/20050716) |
Derek Price wrote:
Jim Hyslop wrote:There is a new repository attack that signed commits introduce. We should consider, this attack, if only to document it and consider best practises on detecting and reducing the risk. The basic attack is to tamper with the GPG signature, with the goal of deliberately causing signature validation to fail. There are a couple of scenarios I can think of immediately: A mischievous attacker simply wants to ruffle some feathers. No actual harm is done, it's simply a nuisance. Everything could grind to a halt until the most recent backup is restored (would this be classifed as a denial-of-service attack?). As a variation, a malicious hacker could employ this 'mischief attack' repeatedly, in the hopes that eventually people will ignore the error. Once that happens, the attacker can then slip in an actual exploit and users will assume it's the same annoyance.I'm not sure where you are going with this one.
[...]Agreed, the tampering will be noticed. That's the whole point of the mischief attack: to make everyone _think_ the repository's been hacked, when it really hasn't. To watch the CVS admins scramble, and users panic. Some people would see this as quite fun (to quote Ford Prefect, "rather childish, really").
The malicious attacker wants to be the wolf in the story of the boy who cried wolf.
Again, I'm not sure if these attacks can be easily prevented, but it may be worth noting them so inexperienced CVS administrators (of which we see a lot - "HELP! I got tossed into this job, how do I {...}") know how to respond.
One problem with the loginfo hook is that I was planning on storing binary GPG-signatures when possible. They are smaller and would, at the least, look ugly on the command line, and I'm not sure what embedded NULs would do. There would be some overhead to ASCII-Armoring the signatures for passage to loginfo.
I would suspect that the overhead of ASCII-armouring would be fairly small compared to the overhead of verifying the signature. By the way, has anyone attempted to project or guess at the overhead adding the basic signing will add?
-- Jim
[Prev in Thread] | Current Thread | [Next in Thread] |