Date: Mon, 13 Jan 2003 00:51:07 -0500 From: "Nathan J. Yoder" <njyoder@gummibears.nu> To: freebsd-security@FreeBSD.org Subject: digital signatures for downloads Message-ID: <6121584208.20030113005107@gummibears.nu>
next in thread | raw e-mail | index | archive | help
I'd like to suggest that the downloads for FreeBSD systems
(whether directly through *.FreeBSD.org or not) should be digitally
signed. By digital signature I don't simply mean a bare MD5 hash, as
that could have been changed in transit. Most importantly, this would
include cvs files transferred via cvsup (FreeBSD source and ports),
pre-compiled binary packages and security patches.
While the FreeBSD security advisories are signed, they
don't include secure hashes of the patches, rather they just provide
an insecure FTP link. This leaves it wide open for a MITM attack (in
the case of FTP this is relatively easy if you can sniff traffic and
the person uses active mode). Realistically it would probably be very
difficult to insert a source trojan into most of the patches
considering their small size (at least to anyone who actually checked
them), but it is definitely needed for other types of downloads like
cvsup.
By launching a MITM attack on a cvsup connection an attacker can
choose to modify/add/delete the source to any file in the tree, which
is unlikely to be detected by most users. This can be done to insert
a trojan anywhere in the source. This applies to both the FreeBSD
source and ports collection. Yes, the ports collection does include
MD5 hashes, but someone capable of a MITM attack can change the hash
to that of the evil trojaned version.
Lastly we have pre-compiled binaries. These can either be flat out
replaced with a trojaned version or do some kind of real time code
injection into the binary.
Anyway, the solution to all this is relatively simple as
stated above, digitally sign all the stuff with specially designated
FreeBSD keys that are automagically verified without the user having
to do anything (this would be done by _default_ with the capability to
disable). For patches and pre-compiled binaries a simple front-end
script can be used to download the file, verify it, then pass on the
full fledged file to continue processing it. Perhaps a clever person
could hide the signature inside of the aout/ELF binary itself (like
authenticode *gag*), but that might add needless complication.
With cvsup this may be possible with a hack on the client
side. This would involve digitally signing all source files, then
using a special naming scheme to create a digital signature file that
corresponds to a given file (i.e. happy.c.sig would correspond to
happy.c). The hack comes in by modifying the cvsup client to
automatically verify the signatures for files automagically. Or I
suppose the make system could be made to verify signatures upon the
making of files. Now of course the problem here is that there are a
lot of files to sign, so this may be worked around by signing multiple
files in the same signature (like signing a giant conglomerate file).
Now keep in mind all this may have already been compensated for
and I'm just smoking crack, but I just want to make sure something is
done either way. I'd be willing to help implement the changes to
FreeBSD to make this signature stuff happen if I can get some
supporters. I have a cat on my head, weeeeeeee....
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6121584208.20030113005107>