From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8B355138CA3 for ; Sun, 15 Mar 2015 22:27:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D96C0E0AB2; Sun, 15 Mar 2015 22:27:07 +0000 (UTC) Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 53118E0AAA for ; Sun, 15 Mar 2015 22:27:07 +0000 (UTC) Received: by oibu204 with SMTP id u204so23957034oib.0 for ; Sun, 15 Mar 2015 15:27:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=PiAi8jF9UbVRZGxOUdX+26glMBaiQ6h2uOE+cVentP8=; b=0lIUKWP1YUTWQDUGXSCCDnF4/1Ub8CNQ6T0NzYS22UrrFJPW1a0YqPpfzie6lqMAH4 q7fEPV9KSESqLQqj2SLLvaG9RB0pxAZ9lXpa/Kr2dcUOD9vRDw0J/DN9coQJz+Dm3YTA ZZ3X7qKcs44UDymlgqkB/zZpACCSSoA2OXjiUoW9YAR6qTTQ+t1awz67MHLue9g1YUtZ FHQbcLBQvb8Bl8RiXcCbALf/QBoo6kgxwRPrh2yRnM+T55CKCLBGMHNL4A7jdXqecaEU cB5ADAOHBKQOTK5xDJzF+cieJE5Iioxdn4lzfkvYOC+WBrhJ5dah1O+o1yhHmrhZHiyZ K9rQ== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-portage-dev@lists.gentoo.org Reply-to: gentoo-portage-dev@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.182.213.38 with SMTP id np6mr44831934obc.34.1426458426692; Sun, 15 Mar 2015 15:27:06 -0700 (PDT) Sender: vlad.v.diaz@gmail.com Received: by 10.202.209.136 with HTTP; Sun, 15 Mar 2015 15:27:06 -0700 (PDT) In-Reply-To: References: Date: Sun, 15 Mar 2015 18:27:06 -0400 X-Google-Sender-Auth: pzJKtnduSPN4d5nlCA_kPVI_m0w Message-ID: Subject: Re: [gentoo-portage-dev] Portage and Update Security From: Vladimir Diaz To: gentoo-portage-dev@lists.gentoo.org Cc: Justin Cappos , Patrick Schleizer , adrelanos grayson Content-Type: multipart/alternative; boundary=001a11c30d14cf599505115b3b04 X-Archives-Salt: 810a4444-2306-47d1-909c-b4747d00f256 X-Archives-Hash: 44bb7b8d7e47c92742ce668c16b90ea0 --001a11c30d14cf599505115b3b04 Content-Type: text/plain; charset=UTF-8 On Sat, Mar 14, 2015 at 7:18 PM, Alec Warner wrote: > On Tue, Mar 10, 2015 at 2:15 PM, Vladimir Diaz > wrote: > >> Hi, >> >> I am a developer in the Secure Systems Lab at NYU. Our lab has >> collaborated with popular software update systems in the open-source >> community, including APT, yum, and YaST, to address security problems. >> More recently, we have been working on a flexible security framework >> co-developed with the Tor project that can be easily added to software >> updaters to transparently solve many of the known security flaws we have >> uncovered in software updaters. We would like to work with The Portage >> Development Project to better secure the Portage distribution system. >> > > I'm not familiar with your work on APT, do you have a link? > There are LWN.net and ;login: articles, and an Ubuntu bug report , that discuss some of the architectural and security improvements adopted (at the time) by APT and other package managers. The A Look In the Mirror: Attacks on Package Managers paper goes into more detail. > > >> TUF >> >> (The Update Framework) is a library that can be added to an existing >> software update system and is designed to update files in a more secure >> manner. Many software updaters verify software updates with cryptographic >> signatures and hash functions, but they typically fail to protect against >> malicious attacks that target the metadata and update files presented to >> clients. A rollback attack is one such example, where an attacker tricks a >> client into installing older files than those the client has already seen >> (these older files may be vulnerable versions that have since been fixed). >> A full list of attacks and weaknesses the framework is designed to address >> is provided here >> >> . >> >> Our website includes more >> information about TUF, including: papers >> and >> a specification >> . >> If you want to see how an existing project integrates TUF, there is a >> standards track proposal >> >> to the Python community that you can review. A more rigorous proposal that >> requires more administrative work on the repository, but provides more >> security protections, is also available >> . >> >> We were thinking of submitting a pull request that shows how such an >> integration would work. So there hopefully won't be much leg work on your >> end apart from deciding how the system should be configured (key storage, >> roles, etc.). >> > >> Would a pull request be of interest? Is there anything you'd like us to >> say more about? >> > > I guess I am less concerned with adding support to portage (which as you > note, is likely fairly straightforward) vs actually generating, publishing, > and signing the metadata; which you would have convince the infrastructure > team to do. > How can we contact the infrastructure team? I searched the Gentoo mailing list page and found "gentoo-infrastructure", but it is a restricted list. > > >> Thanks, >> Vlad >> >> P.S. >> There are Informational and Standards >> Track GLEPs that reference our >> work and the security issues that our project addresses, but there hasn't >> been much recent activity on these proposals. >> > > FWIW, I would rather adopt the standard than continue with a gentoo > specific thing; but I'm not the guy who is going to implement it. I would > recommend talking to the GLEP author (robbat2@gentoo.org) > Thank you. We'll contact the GLEP author to discuss the standard. > > -A > > >> >> >> -- >> vladimir.v.diaz@gmail.com >> PGP fingerprint = ACCF 9DCA 73B9 862F 93C5 6608 63F8 90AA 1D25 3935 >> -- >> > > --001a11c30d14cf599505115b3b04 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

= On Sat, Mar 14, 2015 at 7:18 PM, Alec Warner <antarus@gentoo.org>= wrote:
On Tu= e, Mar 10, 2015 at 2:15 PM, Vladimir Diaz <vladimir.v.diaz@gmail.c= om> wrote:
Hi,

I am a developer in the Secure Systems Lab a= t NYU.=C2=A0 Our lab=20 has collaborated with popular software update systems in the open-source community, including APT, yum, and YaST, to address security problems.=C2= =A0 More recently, we have been working on a flexible security framework=20 co-developed with the Tor project that can be easily added to software=20 updaters to transparently solve many of the known security flaws we have uncovered in software updaters.=C2=A0 We would like to work with The Portage Development Project to better secure the Portage distribution system.

I&= #39;m not familiar with your work on APT, do you have a link?

There are LWN.net and ;login: articles, a= nd an Ubuntu bug report, that discuss some of the architec= tural and security improvements adopted (at the time) by APT and other pack= age managers.=C2=A0 The A Look In the Mirror: Attacks on Package Managers paper goes into more detail.
=C2=A0
=
=C2=A0
TUF (The Update Framework) is a library that can be added to an existing=20 software update system and is designed to update files in a more secure=20 manner.=C2=A0 Many software updaters verify software updates with=20 cryptographic signatures and hash functions, but they typically fail to=20 protect against malicious attacks that target the metadata and update=20 files presented to clients.=C2=A0 A rollback attack is one such example,=20 where an attacker tricks a client into installing older files than those the client has already seen (these older files may be vulnerable=20 versions that have since been fixed).=C2=A0 A full list of attacks and=20 weaknesses the framework is designed to address is provided here.

Our website includes more information abou= t TUF, including: papers and a specification.=C2=A0 If you want to see how an existing pro= ject integrates TUF, there is a standards track proposal to the Python community that you can review.=C2=A0 A more rigorous proposa= l=20 that requires more administrative work on the repository, but provides=20 more security protections, is also available.

We were thinking of s= ubmitting a pull request that shows how such an=20 integration would work.=C2=A0 So there hopefully won't be much leg work= on=20 your end apart from deciding how the system should be configured (key=20 storage, roles, etc.).

Would a pull request b= e of interest?=C2=A0 Is there anything you'd like us to say more about?=

I guess I am less conce= rned with adding support to portage (which as you note, is likely fairly st= raightforward) vs actually generating, publishing, and signing the metadata= ; which you would have convince the infrastructure team to do.
<= /div>

How can we contact the infrastr= ucture team?=C2=A0 I searched the Gentoo mailing list page and found "gentoo-infrastruct= ure", but it is a restricted list.


Thanks,
Vlad

P.S.
There a= re Inform= ational and Standards Track GLEPs that reference our work and the security i= ssues that our project addresses, but there hasn't been=20 much recent activity on these proposals.

FWIW, I would rather adopt the standard than continue with a= gentoo specific thing; but I'm not the guy who is going to implement i= t. I would recommend talking to the GLEP author (robbat2@gentoo.org)

Thank you.=C2=A0 We'll contact the G= LEP author to discuss the standard.

=C2=A0

--001a11c30d14cf599505115b3b04--