| 1 | GLEP: 57 |
1 | GLEP: 57 |
| 2 | Title: Security of distribution of Gentoo software - Overview |
2 | Title: Security of distribution of Gentoo software - Overview |
| 3 | Version: $Revision: 1.1 $ |
3 | Version: $Revision: 1.5 $ |
| 4 | Last-Modified: $Date: 2008/10/21 23:30:47 $ |
4 | Last-Modified: $Date: 2010/02/07 16:24:17 $ |
| 5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
5 | Author: Robin Hugh Johnson <robbat2@gentoo.org> |
| 6 | Status: Draft |
6 | Status: Final |
| 7 | Type: Informational |
7 | Type: Informational |
| 8 | Content-Type: text/x-rst |
8 | Content-Type: text/x-rst |
| 9 | Created: November 2005 |
9 | Created: November 2005 |
| 10 | Updated: May 2006, October 2006, Novemeber 2007, June 2008, July 2008, October 2008 |
10 | Updated: May 2006, October 2006, November 2007, June 2008, July 2008, October 2008, January 2010 |
|
|
11 | Post-History: December 2009 |
|
|
12 | Approved: 18 January 2010 |
| 11 | |
13 | |
| 12 | Abstract |
14 | Abstract |
| 13 | ======== |
15 | ======== |
| 14 | This is the first in a series of 4 GLEPs. It aims to define the actors |
16 | This is the first in a series of 4 GLEPs. It aims to define the actors |
| 15 | and problems in the Gentoo software distribution process, with a strong |
17 | and problems in the Gentoo software distribution process, with a strong |
| … | |
… | |
| 51 | in portage, makes it trivial to modify or replace the existing |
53 | in portage, makes it trivial to modify or replace the existing |
| 52 | Manifests. |
54 | Manifests. |
| 53 | - Vulnerability of existing infrastructure to attacks. |
55 | - Vulnerability of existing infrastructure to attacks. |
| 54 | The previous two items make it possible for a skilled attacker to |
56 | The previous two items make it possible for a skilled attacker to |
| 55 | design an attack and then execute it against specific portions of |
57 | design an attack and then execute it against specific portions of |
| 56 | existing infrastructure (eg: Compromise a country-local rsync mirror, |
58 | existing infrastructure (e.g.: Compromise a country-local rsync |
| 57 | and totally replace a package and it's Manifest). |
59 | mirror, and totally replace a package and it's Manifest). |
| 58 | |
60 | |
| 59 | Specification |
61 | Specification |
| 60 | ============= |
62 | ============= |
| 61 | Security is not something that can be considered in isolation. It is |
63 | Security is not something that can be considered in isolation. It is |
| 62 | both an ongoing holistic process and lessons learnt by examining |
64 | both an ongoing holistic process and lessons learnt by examining |
| … | |
… | |
| 91 | |
93 | |
| 92 | Attacks may be conducted against any of these entities. Obviously |
94 | Attacks may be conducted against any of these entities. Obviously |
| 93 | direct attacks against Upstream and Users are outside of the scope of |
95 | direct attacks against Upstream and Users are outside of the scope of |
| 94 | this series of GLEPs as they are not in any way controlled or |
96 | this series of GLEPs as they are not in any way controlled or |
| 95 | controllable by Gentoo - however attacks using Gentoo as a conduit |
97 | controllable by Gentoo - however attacks using Gentoo as a conduit |
| 96 | (including malicous mirrors) must be considered. |
98 | (including malicious mirrors) must be considered. |
| 97 | |
99 | |
| 98 | Processes |
100 | Processes |
| 99 | --------- |
101 | --------- |
| 100 | There are two major processes in the distribution of Gentoo, where |
102 | There are two major processes in the distribution of Gentoo, where |
| 101 | security needs to be implemented: |
103 | security needs to be implemented: |
| … | |
… | |
| 103 | - Developer commits to version control systems controlled by |
105 | - Developer commits to version control systems controlled by |
| 104 | Infrastructure. |
106 | Infrastructure. |
| 105 | - Tree and distfile distribution from Infrastructure to Users, via the |
107 | - Tree and distfile distribution from Infrastructure to Users, via the |
| 106 | mirrors (this includes both HTTP and rsync distribution). |
108 | mirrors (this includes both HTTP and rsync distribution). |
| 107 | |
109 | |
| 108 | Both processes need their security improved. In [GLEPxx+2] we will discuss |
110 | Both processes need their security improved. In [#GLEPxx+2] we will discuss |
| 109 | how to improve the security of the first process. The relatively |
111 | how to improve the security of the first process. The relatively |
| 110 | speaking simpler process of file distribution will be described in |
112 | speaking simpler process of file distribution will be described in |
| 111 | [GLEPxx+1]. Since it can be implemented without having to change the |
113 | [#GLEP58]. Since it can be implemented without having to change the |
| 112 | workflow and behaviour of developers we hope to get it done in a |
114 | workflow and behaviour of developers we hope to get it done in a |
| 113 | reasonably short timeframe. |
115 | reasonably short timeframe. |
| 114 | |
116 | |
| 115 | Attacks against Processes |
117 | Attacks against Processes |
| 116 | ------------------------- |
118 | ------------------------- |
| … | |
… | |
| 148 | Protection for process #1 can never be complete (without major |
150 | Protection for process #1 can never be complete (without major |
| 149 | modifications to our development process), as a malicious developer is |
151 | modifications to our development process), as a malicious developer is |
| 150 | fully authorized to provide materials for distribution. Partial |
152 | fully authorized to provide materials for distribution. Partial |
| 151 | protection can be gained by Portage and Infrastructure changes, but the |
153 | protection can be gained by Portage and Infrastructure changes, but the |
| 152 | real improvements needed are developer education and continued |
154 | real improvements needed are developer education and continued |
| 153 | vigilance. This is further discussed in [GLEPxx+2]. |
155 | vigilance. This is further discussed in [#GLEPxx+2]. |
| 154 | |
156 | |
| 155 | This security is still limited in scope - protection against compromised |
157 | This security is still limited in scope - protection against compromised |
| 156 | developers is very expensive, and even complex systems like peer review |
158 | developers is very expensive, and even complex systems like peer review |
| 157 | / multiple signatures can be broken by colluding developers. There are many |
159 | / multiple signatures can be broken by colluding developers. There are many |
| 158 | issues, be it social or technical, that increase the cost of such |
160 | issues, be it social or technical, that increase the cost of such |
| … | |
… | |
| 163 | Protection for process #2 is a different matter entirely. While it also |
165 | Protection for process #2 is a different matter entirely. While it also |
| 164 | cannot be complete (as the User may be attacked directly), we can ensure |
166 | cannot be complete (as the User may be attacked directly), we can ensure |
| 165 | that Gentoo infrastructure and the mirrors are not a weak point. This |
167 | that Gentoo infrastructure and the mirrors are not a weak point. This |
| 166 | objective is actually much closer than it seems already - most of the |
168 | objective is actually much closer than it seems already - most of the |
| 167 | work has been completed for other things!. This is further discussed in |
169 | work has been completed for other things!. This is further discussed in |
| 168 | [GLEP58]. As this process has the most to gain in security, and the |
170 | [#GLEP58]. As this process has the most to gain in security, and the |
| 169 | most immediate impact, it should be implemented before or at the same |
171 | most immediate impact, it should be implemented before or at the same |
| 170 | time as any changes to process #1. Security at this layer is already |
172 | time as any changes to process #1. Security at this layer is already |
| 171 | available in the signed daily snapshots, but we can extend it to cover |
173 | available in the signed daily snapshots, but we can extend it to cover |
| 172 | the rsync mirrors as well. |
174 | the rsync mirrors as well. |
| 173 | |
175 | |
| … | |
… | |
| 302 | from Marius Mauch (genone). |
304 | from Marius Mauch (genone). |
| 303 | |
305 | |
| 304 | 2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
306 | 2008-04-03, gentoo-dev mailing list, "Re: Monthly Gentoo Council |
| 305 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
307 | Reminder for April" - Ciaran McCreesh (ciaranm). A thread in which |
| 306 | Ciaran reminds everybody that simply making all the developers sign the |
308 | Ciaran reminds everybody that simply making all the developers sign the |
| 307 | tree is not sufficent to prevent all attacks. |
309 | tree is not sufficient to prevent all attacks. |
| 308 | [ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ] |
310 | [ http://thread.gmane.org/gmane.linux.gentoo.devel/55508/focus=55542 ] |
| 309 | |
311 | |
| 310 | 2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
312 | 2008-07-01, gentoo-portage-dev mailing list, "proto-GLEPS for |
| 311 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
313 | Tree-signing" - Robin H. Johnson (robbat2). Thread looking for review |
| 312 | input from Portage developers. |
314 | input from Portage developers. |
| … | |
… | |
| 333 | University of Arizona Technical Report TR08-02. Available online |
335 | University of Arizona Technical Report TR08-02. Available online |
| 334 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
336 | from: ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf |
| 335 | [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
337 | [C08b] Cappos, J et al. (2008). "Attacks on Package Managers" |
| 336 | Available online at: |
338 | Available online at: |
| 337 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
339 | http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ |
|
|
340 | [#GLEPxx+2] Future GLEP on Developer Process security. |
|
|
341 | [#GLEPxx+3] Future GLEP on GnuPG Policies and Handling. |
| 338 | |
342 | |
| 339 | Copyright |
343 | Copyright |
| 340 | ========= |
344 | ========= |
| 341 | Copyright (c) 2006 by Robin Hugh Johnson. This material may be |
345 | Copyright (c) 2005-2010 by Robin Hugh Johnson. This material may be |
| 342 | distributed only subject to the terms and conditions set forth in the |
346 | distributed only subject to the terms and conditions set forth in the |
| 343 | Open Publication License, v1.0. |
347 | Open Publication License, v1.0. |
| 344 | |
348 | |
| 345 | vim: tw=72 ts=2 expandtab: |
349 | vim: tw=72 ts=2 expandtab: |
Parent Directory
| 
Revision Log
| 
Patch