From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 20:26:02 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C5C89556; Thu, 10 Apr 2014 20:26:02 +0000 (UTC) Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E312A10BF; Thu, 10 Apr 2014 20:26:01 +0000 (UTC) Received: by mail-wg0-f46.google.com with SMTP id b13so4522093wgh.5 for ; Thu, 10 Apr 2014 13:26:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=blGZT05EPQEu+GmhYSlEqW52A1o02gErOHmyj9c5r2w=; b=EClonAUsAe5gXlBlNfh419pJjxYgGUDRiNQOrW4j+MbSEiIHRhiR7Vzqo94JP9Lvef ECosIY8xcZAegw8SQGcA2mrDean/7F8YboBPuyrItvsqbSBZ1H+TWNOQskbB/L5B1Th9 JlqPcDGrIfdHMA5MpKrpSYI5dMmdTNrkz6g6X15GwYLEiiaSFmeODxwMrV5o0JSJhaEx G/EryjjwbiQBp4u2IwvEiCxAYT8v8HIivWThdsJXO7LDH+bRlTGaKU5KYdEZD/vBRBy4 Eg3BtPTNJKgcrDY4ZZYzfhLJYCjH26OD4FNJMS3R1RPXiO/2QPJzc5mROPeEC4lzzCyQ exZw== MIME-Version: 1.0 X-Received: by 10.195.12.33 with SMTP id en1mr16746555wjd.31.1397161560089; Thu, 10 Apr 2014 13:26:00 -0700 (PDT) Received: by 10.217.55.138 with HTTP; Thu, 10 Apr 2014 13:26:00 -0700 (PDT) In-Reply-To: References: <20140410183330.GB31394@lor.one-eyed-alien.net> Date: Thu, 10 Apr 2014 15:26:00 -0500 Message-ID: Subject: Re: MITM attacks against portsnap and freebsd-update From: David Noel To: Brooks Davis Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, bapt@FreeBSD.org, Colin Percival X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: David.I.Noel@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 20:26:02 -0000 On 4/10/14, David Noel wrote: >> I'm not convinced that a rototil of the protocol and all the associated >> storage duplication is worth the effort. > > As far as portsnap is concerned I'm not convinced that ANY amount of > effort is worth it. That is why I was hoping to start a conversation > on the possibility of phasing it out. > >> It's better in my mind to commit one of the patches to sandbox gzip >> with Capsicum... > > Portsnap also passes un-verified files to tar, so that would need to > be patched too. > >> ...which will protect from everything except filling the >> disk by denying gunzip the ability to do anything but write to the file >> opened by the script. That will protect all gzip users. > > I agree that what you're proposing is probably the simplest solution, > but I'm not convinced that it would guarantee system security. Nothing > against Robert Watson, but sandboxes are always being broken out of. > There's a history of vulnerabilities in the jail subsystem, isn't it > likely that someone some day will find a bug in Capsicum? As unlikely > as it seems that someone would be able to pull off a MITM attack, > posses a tar or gzip 0day, and also posses a Capsicum 0day, there is > -- like Murphy's law -- that old saying* "Any bug that can be > exploited will be." > > *I definitely just made that up, but I do firmly believe it to be true. > >> What do you mean by a freeze attack? I'm not familiar with this term >> and I didn't find this post, the PRs, or a quick Google search >> illuminating. > > Sorry. A freeze attack is similar to a replay attack. In a replay > attack an attacker would feed the system an older, exploitable version > of the software being updated so that they could break in. A freeze > attack is when an attacker feeds the system the same version of the > software being updated so that critical updates are not installed. > While portsnap and freebsd-update do check to ensure that what's being > updated is no older than what's currently on the system they do not > check to ensure that what's being updated is not the same version as > what's currently installed. > > -David > A paper I found useful back when I first started digging into portsnap and freebsd-update is titled "Package Management Security" and can be found at ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf. It reviews common attacks against package management systems, analyzes both APT and YUM, and points out a number of flaws in them. Many of the attacks discussed also apply to the design of our ports tree management and binary update systems. A very good read for anyone interested in that sort of thing. Baptiste, this conversation made me think of your work on pkgng (I love it, by the way!), so I thought I'd cc you as well. I don't know how knowledgeable you are about common attack vectors against package management systems so I thought maybe this paper would be of some interest to you. I realize I cut off the first email, so if you're curious and didn't see my initial message you can find it here: http://www.mail-archive.com/freebsd-security@freebsd.org/msg04777.html Regards, David Noel