Does Gentoo's updater pass the TUF threat model?

[adrelanos grayson]

Hi,

does Gentoo's [1] updater pass the TUF threat model [2]?

Cheers,
Patrick

[1] https://www.gentoo.org/
[2] The Update Framework (TUF) - Attacks and Weaknesses:
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
http://www.webcitation.org/6F7Io2ncN

[Justin Cappos]

We checked this back when doing MITM analysis for Stork.  At that time, Portage was vulnerable to replay, mix-and-match, and freeze attacks (even without a repository compromise).  https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf

TUF protects against all of these things and also has resilience to key compromise.  This means even if online repository keys are stolen, and attacker cannot provide modified copies of trusted packages.

We have not looked at Portage recently, but I would be a bit surprised if it has compromise resilience.  It is not trivial to add since there are a lot of design subtleties.   (We have reviewed code for other projects that have tried to do this and found serious design flaws.)

Do you know if the Portage developers are interested in addressing this issue?

Justin

[adrelanos grayson]

On Monday, December 15, 2014 2:18:29 PM UTC, Justin Cappos wrote:

Do you know if the Portage developers are interested in addressing this issue?

No idea. I am unaffiliated with them. Just asked on my own initiative. However, since there is a project called Hardened Gentoo, which focuses on security, hosted on gentoo.org wiki, I think chances are good that they would be interested.

Would you like to ask them or me to proxy a message?

[Justin Cappos]

I took a quick look and think they still have the same basic signature / metadata setup as before.  They seem to be signing the package metadata (with a GPG key), but do not seem to prevent rollback attacks, timeliness attacks, or handle key compromises securely.  

We could work with them to fix these issues if they are interested.  Vlad is focused on the PyPI integration now, but we can certainly chat and gauge interest...

Thanks,

Justin

[adrelanos grayson]

Sounds good.

Who will contact them? Do you like to or do you like me to contact them?

[Vladimir Diaz]

Hi Adrelanos,

You may contact them if you wish, similar to how you did with the Tor folks.  CC me or theupdate...@googlegroups.com so that we can continue the discussion.

[Vladimir Diaz]

I would be happy to email them, but do not know anyone in this community.  Do you think it would be more effective if you communicate with them initially or I do? 

We're definitely interested in talking with them.

[adrelanos grayson]

I don't know any of them. Just got interested in Gentoo recently.

Much better if you skip the middleman (me).

I'd appreciate if you contacted them.

Thanks,
Patrick

[Vladimir Diaz]

I would be happy to contact them.  Thanks for bringing this to our attention.

[adrelanos grayson]

On Wednesday, December 17, 2014 6:16:12 PM UTC, vladimir.v.diaz wrote:

I would be happy to contact them.  Thanks for bringing this to our attention.

Great!

Please consider adding some public mailing list to cc. Would like to follow your discussions.

Cheers,
Patrick

[Vladimir Diaz]

Hi Patrick,

After reviewing Portage's Github repository and discussing it with the team, we thought it might be better to first demonstrate a few attacks and submit a proof of concept of the integration that they can review (along with a proposal and documentation).  We have tried email/public discussions with other open source projects, but progress tends to proceed at a slow pace.  We might be overwhelming them with papers / documentation, which takes time to review.  And sharing too little information leads to many questions.  What do you think of our idea?  Should we try a different approach?

We can also start a dialogue by asking about their current setup.  For example, what role does the "timestamp.chk" file play in their update system, and what other attacks are prevented?  See https://github.com/gentoo/portage/commit/d7c0bd69cc7d4ac9b1b45f1b30e07019bd716bd6

Thanks,

Vlad

[Patrick Schleizer]

Vladimir Diaz:

> After reviewing Portage's Github repository

> <https://github.com/gentoo/portage> and discussing it with the team, we

> thought it might be better to first demonstrate a few attacks and submit a
> proof of concept of the integration that they can review (along with a
> proposal and documentation). We have tried email/public discussions with
> other open source projects, but progress tends to proceed at a slow pace.
> We might be overwhelming them with papers / documentation, which takes time
> to review. And sharing too little information leads to many questions.
> What do you think of our idea? Should we try a different approach?
>
> We can also start a dialogue by asking about their current setup. For
> example, what role does the "timestamp.chk" file play in their update
> system, and what other attacks are prevented? See
> https://github.com/gentoo/portage/commit/d7c0bd69cc7d4ac9b1b45f1b30e07019bd716bd6

Hi Vladimir,

I would hope, that they believe you without demonstrating attacks, so
you can safe time writing code just for that.

Asking for more details before doing a bug report sounds sensible.

Your approach sounds good overall.

I am maintaining a Debian/Linux derivative myself (Whonix), so I can
understand both perspectives. Being overwhelmed by suggestions as
maintainer as well as getting through to other maintainers when
reporting issues. As well as I very much interested in brain research
and applying it for practical purposes.

For one, they don't know you. Due to the load of "invalid" reports,
first step must be to get through their metal filters. Few examples on
my techniques.

A philosophical invalid, yet practically most effective approach are
arguments from authority. Therefore try to quote people they already
respect. Example:
https://trac.torproject.org/projects/tor/ticket/7277

If that is not possible, make one yourself. Introduce your team, include
terms such as "professor". Don't push it. ;) I am sure, you'll get the
right balance. Link to related, previous work such as your
papers/research on package manager security that really lead to improved
security in various linux distributions.

Also a strategy of not overwhelming them with information at first post,
writing a concise report plus linking references worked best for me.
Examples:
https://trac.torproject.org/projects/tor/ticket/8751
https://trac.torproject.org/projects/tor/ticket/8170

Perhaps try a dual strategy. Contacting them directly as you planned
right now and starting with the public discussion where you answer
questions a bit later.

But you got actual experience with not just reporting such issues in
package managers, also working with dev teams getting them fixed. I
don't. So please don't put too much thought into my theoretical
considerations.

Cheers,
Patrick

[Patrick Schleizer]

Are there any news?

Cheers,
Patrick

[Patrick Schleizer]

Hi Vladimir,

what happen to this?

Cheers,
Patrick

Vladimir Diaz:

[Vladimir Diaz]

Hi Patrick,

Apologies if it seems like we have been delaying the Portage integration   We have had quite a few projects express interest and were also busy with the PyPI integration.  We are excited to get started on this integration.

My review of the Docker specification and the Registry v2 proposal (includes TUF) should be finished either today or tomorrow.  I will begin the Gentoo/Portage integration progress hopefully by this Wednesday.

The plan is to work on the Portage integration and then submit a patch request (as previously outlined).

However, do you think it makes more sense to first gauge interest by asking on their mailing list?

On Wed, Feb 18, 2015 at 8:32 PM, Vladimir Diaz <vladimi...@gmail.com> wrote:

Hi Patrick,

I hope you don't mind if we postpone some of your requests for approximately a week.  We would like to keep the momentum going with the Go implementation + Docker integration that has suddenly transpired.

Some positive news about Debian packaging: Gunnar Wolf and Josue Abarca (from the Python modules team) is helping us get our package adopted.

-Vlad

---
PGP key fingerprint = ACCF 9DCA 73B9 862F 93C5  6608 63F8 90AA 1D25 3935
---

On Wed, Feb 18, 2015 at 1:53 PM, Vladimir Diaz <vladimi...@gmail.com> wrote:

No, not yet .  As explained in my previous reply, I would like to follow the PR/patch approach with Portage due to my most recent experience with OpenWireless and dealing with Github tickets/requests.  Submitting a patch/feature request to Portage is outlined here: http://wiki.gentoo.or/wiki/Project:Portage#Submitting_Patches.  But I do agree with your suggestion that demonstrating attacks shouldn't be needed.

My plan is to include a summary of the security issues we are addressing, our solution (the patch),  available documentation/papers that they may review, and background information (i.e., TUF authors, projects using/interested in TUF, etc.)  Our patch is likely to be small (especially if we decide to use interposition), so it shouldn't take much effort apart from reading their code and deciding on what needs to change.

We can start on a patch request soon (e.g., to increase adoption and more success), but I would like to complete a few PyPI integration TODOs before I start looking at Portage's code base again.

P.S. Might be better to discuss integration strategies off the mailing list (email), or on Github by opening ticket requests for projects that might want to integration TUF.

-Vlad

---
PGP key fingerprint = ACCF 9DCA 73B9 862F 93C5  6608 63F8 90AA 1D25 3935
---

[Patrick Schleizer]

Vladimir Diaz:

> However, do you think it makes more sense to first gauge interest by asking
> on their mailing list?

Yes.

Cheers,
Patrick