From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id uCoxMsqmk2BLzgAAgWs5BA (envelope-from ) for ; Thu, 06 May 2021 10:20:26 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YC3HLcqmk2A+cgAAB5/wlQ (envelope-from ) for ; Thu, 06 May 2021 08:20:26 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F08A2191D4 for ; Thu, 6 May 2021 10:20:25 +0200 (CEST) Received: from localhost ([::1]:51308 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1leZF9-0002Wd-FM for larch@yhetil.org; Thu, 06 May 2021 04:20:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49334) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1leZEn-0002W3-V4 for bug-guix@gnu.org; Thu, 06 May 2021 04:20:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53695) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1leZEn-0007tR-Mv for bug-guix@gnu.org; Thu, 06 May 2021 04:20:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1leZEn-0002cr-IR for bug-guix@gnu.org; Thu, 06 May 2021 04:20:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism? Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 06 May 2021 08:20:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48146 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 48146-submit@debbugs.gnu.org id=B48146.162028918510083 (code B ref 48146); Thu, 06 May 2021 08:20:01 +0000 Received: (at 48146) by debbugs.gnu.org; 6 May 2021 08:19:45 +0000 Received: from localhost ([127.0.0.1]:37008 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leZEX-0002cZ-9H for submit@debbugs.gnu.org; Thu, 06 May 2021 04:19:45 -0400 Received: from laurent.telenet-ops.be ([195.130.137.89]:36240) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leZEU-0002cT-Ib for 48146@debbugs.gnu.org; Thu, 06 May 2021 04:19:43 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by laurent.telenet-ops.be with bizsmtp id 1LKg2500J0mfAB401LKgt4; Thu, 06 May 2021 10:19:41 +0200 Message-ID: From: Maxime Devos Date: Thu, 06 May 2021 10:19:30 +0200 In-Reply-To: <874kfgj4xm.fsf@gnu.org> References: <874kfgj4xm.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-omHmrGd5rOsqRKm47qdS" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1620289181; bh=zKWBsFEf8Rqx7FUvXLUYVYw4q2aAcY53IZju12wtnPY=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=bxV0cUHguirlJmrBx5J97G8oqEc+s6biaHT1qgD8v31rqFSrfeagvqByE0XA97F1M 1kHTk2pfW903BdufOAsXtzHqPahFfkOxK0eOcxoReZonBb8F9FjF3ckE6GoTvHzrep L6KDyPuNl1jmqJR3v8JYcajOpAKhVBw/UqIyhg5nj+HY/ZVkGgrpMfvMZQNgUFlcas dQUE6h3SNvaWk8kNLrTlf2P4mXKfNDmYtxHXZ3uNCV6ihKqBTYD6ceWnW/voOeTr7s Jmh7LuGPN87Ocg/fLY4iSv98UfkKakPvl4Ao5y8oBdq02Q/6VFFDQ1XFq/sOgNlDgd e5yYme3TkoaOw== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 48146@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1620289226; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=zKWBsFEf8Rqx7FUvXLUYVYw4q2aAcY53IZju12wtnPY=; b=ttrC1CypTQQzZKWWO3/NV++1SC5A4VXRJ7/2rLnCg5yYFC27Jrnj9XlPntFLvl7EzvMaaE RevLsyGXrHE5JZUkN8JDUye3lymyyr8dXhKmG3TGreGiXlBRw4iIkRA0mmu0mfxrvSvEv9 zJBa7cS7K85a59RPdjTA9PBb/dj7W7PYGF4We0xTEgja9YOmxrpv8yhh4Gqq3dQCQqj5if i1JN/TH4Vxl+k4PVvx04odv4Tsm1Tx3vc1lowSXR+hSWOWStLay5rM+jTSKxh522fx71xV pWNe9mJb/XwTE9Yf5KbHi9nnMWGPY1MVwqvmYK/wuLtOV/cIw1drr/2aOMsTNw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1620289226; a=rsa-sha256; cv=none; b=showBmXDcQ6K6DboleEBr6RznFfhV3YiRBgrA4S2P0BbLEjNNBOzzkn6bhGxQ7doXaNUx2 2AYwK/Wa+z9GjPafTLfW2uQmuGRPTZqEWhIuEgtscJZM2RI+5jZPMfC0pXjY+HctnwHvFm m0zmrPr53H5XY2xbcUTPmE5SAn2auP8tTdE1r0OuGTRJWq5AskyHchGRF4eIxYiQ7u+05r QQTdlDpmdqBawpgf7oX8KpfhGX7UGSsvmZWnXKorgniYT/npmIoaDwatXWvZoh8Ran0r/y 52oXLDup/HdNMn7Y2Ny+ZP5w48SasJH/4N5z4G1J8apc7Qi03d0p9VIHznlE3w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=bxV0cUHg; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -0.96 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=bxV0cUHg; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: F08A2191D4 X-Spam-Score: -0.96 X-Migadu-Scanner: scn0.migadu.com X-TUID: 7xXGxJmxcUoh --=-omHmrGd5rOsqRKm47qdS Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s schreef op wo 05-05-2021 om 22:34 [+0200]: > Hi Maxime, >=20 > Maxime Devos skribis: >=20 > > 5. The user is at commit A. There is a correctly-signed commit C on, = say, core-updates, > > such that: C comes after A, but C is not yet in master for the fo= reseable future. > >=20 > > Method: > > 6. The attacker subverts savannah, replacing the tip of 'master' with= 'C'. > > To avoid detection, this subverted master is only served to the ta= rgetted users. > > 7. The targetted users' systems' unattended-service-type > > do their equivalent of "guix pull && guix system reconfigure ...". > > 8. The targetted systems are now on core-updates, which does not rece= ive timely > > security updates. > > 9. On future automatic upgrades, the users' systems will stay on core= -updates, > > without any obvious indication something is wrong. (Aside from re= compilations, > > maybe the user's machine has 40GiB RAM, dozens of processors and s= its in some > > data centre where the user won't notice the sound of the fans.) > > 10. A vulnerability is discovered (and fixed) and there is a blog post= or something! > > The attacker is late to the party. > > 11. Unfortunately for the user, the automatic upgrade does not fix the= vulnerability > > on the user's system, as vulnerabilities are not patched on core-u= pdates. >=20 > Note that the attacker doesn=E2=80=99t even need to do something as > sophisticated as you describe: they can just tweak the repo such that > the advertised tip of =E2=80=98master=E2=80=99 remains today=E2=80=99s co= mmit for some time. That would be the =E2=80=98indefinite freeze attack=E2=80=99. unattended-service-type keeps a log somewhere I think? If for some reason the (very attentive) user decides to look at the log, they might find it su= spicious that the same "guix" store item is used everytime, and the attack could be = detected. Diverting the user to a branch that is occassionally updated wouldn't raise such warnings. (excerpt from my log) # I need to fix my configuration ... guix time-machine: error: Git error: failed to connect to localhost: Connec= tion refused [2021-05-03T16:10:19+0200] starting upgrade... command "/gnu/store/6nfv48k5cjlg0d3my6i6mgzy0vqnd7g8-guix-1.2.0-21.4dff6ec/= bin/guix" "time-machine" "-C" "/gnu/store/pm2ra4xkmahca79vpcjk8q0blxpi8pza-= channels.scm" "--" "system" "reconfigure" "/gnu/store/a01pi7yx4zw88cijfr3ml4hl2pn29ncz-butterfly-config.scm" failed w= ith status 1 guix time-machine: error: Git error: failed to connect to localhost: Connec= tion refused [2021-05-05T12:03:56+0200] starting upgrade... command "/gnu/store/6nfv48k5cjlg0d3my6i6mgzy0vqnd7g8-guix-1.2.0-21.4dff6ec/= bin/guix" "time-machine" "-C" "/gnu/store/pm2ra4xkmahca79vpcjk8q0blxpi8pza-= channels.scm" "--" "system" "reconfigure" "/gnu/store/a01pi7yx4zw88cijfr3ml4hl2pn29ncz-butterfly-config.scm" failed w= ith status 1 (end of excerpt) The =E2=80=98indefinite freeze attack=E2=80=99 is a real attack, but not wh= at I'm describing here. > The blog post Leo mentioned discusses this problem and it=E2=80=99s not > addressed per se. If specific users are targeted, as in your scenario, > it could be hard to detect. >=20 > But then again, I=E2=80=99d argue it=E2=80=99s beyond our threat model: t= here are other > ways, possibly easier, to target individuals. =E2=80=98We=E2=80=99 can extend the threat model and further restrict how a= n attacker could target individuals or groups. If you know of easier methods to target individuals, please tell, maybe =E2=80=98we=E2=80=99 can patch guix to thwa= rt them as well. The existence of easier attack methods shouldn't stop us from stopping the more complicated and/or difficult attack methods. > If we assume the attacker is not targeting specific individuals but > rather the whole user base, the attack can still be carried out but it > wouldn=E2=80=99t go undetected for long. I would prefer that the attack cannot be carried out _at all_.=20 Requiring "guix pull --allow-downgrades" after a diversion attack doesn't seem ideal. > The =E2=80=9Creference state log=E2=80=9D mentioned in the blog post coul= d help. > It=E2=80=99s an interesting idea. It addresses the scenario you describe= d > (redirecting users to a different branch) but it doesn=E2=80=99t address = the > more general indefinite freeze attack. =20 I see =E2=80=98redirecting users to a branch they shouldn't use=E2=80=99 as= a separate attack from the =E2=80=98indefinite freeze attack=E2=80=99. My proposed attack met= hod was a mixture of both. The general =E2=80=98indefinite freeze attack=E2=80=99 doesn't seem solvabl= e, but the more specific related attack =E2=80=98redirecting users to a branch they shouldn= 't use=E2=80=99 _is_ solvable. Not being able to solve the complete problem sh= ouldn't stop =E2=80=98us=E2=80=99 from solving parts of the problem. > I'm not sure it's worth focusing on this specific case. I don't see how we could solve the =E2=80=98indefinite freeze attack=E2=80= =99 in its full generality, but this specific case seems solvable. > Something like the =E2=80=9Creference state log=E2=80=9D would > help address the general case. > > Thoughts? I need to take a look at what this =E2=80=98reference state log=E2=80=99 is= . Greetings, Maxime. --=-omHmrGd5rOsqRKm47qdS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYJOmkhccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7kc1AQDR43GdHm2zQK2HNbOBsVr+gZzB 9cmtyFxffCzQWFy00QD+MlneJBnlYn8MLZeVWGOEPCker3aFhGXjm/K6960TxAI= =cN8N -----END PGP SIGNATURE----- --=-omHmrGd5rOsqRKm47qdS--