Date: Fri, 2 Jan 2009 19:05:24 +0100 From: cpghost <cpghost@cordula.ws> To: Matt <datahead4@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Foiling MITM attacks on source and ports trees Message-ID: <20090102180524.GA1742@phenom.cordula.ws> In-Reply-To: <cd6b4a5b0901020926t11dc7817j74e44cf61980f262@mail.gmail.com> References: <20090102164412.GA1258@phenom.cordula.ws> <cd6b4a5b0901020926t11dc7817j74e44cf61980f262@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 02, 2009 at 11:26:45AM -0600, Matt wrote: > On Fri, Jan 2, 2009 at 10:44 AM, cpghost <cpghost@cordula.ws> wrote: > > Hello, > > > > with MITM attacks [1] on the rise, I'm concerned about the integrity > > of local /usr/src, /usr/doc, and /usr/ports trees fetched through csup > > (and portsnap) from master or mirror servers. > > > > [1] http://en.wikipedia.org/wiki/Man-in-the-middle_attack > > > > There's already a small protection against MITM on the distfiles in > > ports: distinfo contain md5 and sha256 digests. This is an excellent > > idea that could be extended to *all* files in /usr/src, /usr/doc, and > > /usr/ports. > > Something like this was discussed back in September: > http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/026052.html > > I haven't tried Max's script yet, but it looks like it should do at > least some of what you're looking for. It's a beginning for sure. I assume (403 error) Max generates and saves digests on his snapshots and the verification script does the same locally and simply compares both lists. In an extended version, it could grep for the digests in the increasingly big list on Max's site... But that's not ideal because: 1) There's no guarantee that Max's csup has not been MITM-ed itself. 2) Max can't csup EVERY revision to digest it in near real-time. 3) Even with SSL on his site, I'd prefer a digitally signed list. ;) With this version of the script, it's not possible to check the integrity of an arbitrary specific snapshot in time (say, starting with the subversion migration and later). That's why I'm thinking of (file, revision, digest) tuples, and not just (file, digest) tuples that would need to go in that list; and a logic to fetch a subset of the list, based on revision numbers. The main problem I see here with (file, digest) tuples, is how to guess the right revision number of the local file. Unless that is transferred alongside csup (into a metadata directory? /var/db/sup perhaps?), it will be necessary to check a local file against a list of "known and good" digests -- the list created from the repository out of all revisions that ever existed for that file --. This is good enough against casual MITM, where an attacker creates his own replacement files, but it's not good enough if the attacker merely substitutes a current file with an older (but legitimate) file that contains a vulnerability. That old file would verify OK because it has a valid digest, but it's still not the file that should be in the checkout. See the problem? Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090102180524.GA1742>