* bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism?
@ 2021-05-01 21:40 Maxime Devos
2021-05-02 4:09 ` Leo Famulari
2021-05-05 20:34 ` Ludovic Courtès
0 siblings, 2 replies; 4+ messages in thread
From: Maxime Devos @ 2021-05-01 21:40 UTC (permalink / raw)
To: 48146
[-- Attachment #1: Type: text/plain, Size: 3279 bytes --]
Tags: + security
Hi guix,
Consider the following situation:
Premises:
1. There are no known security vulnerabilities known
to the attacker at the moment.
2. Thus, the attacker instead will try to trick the system
of the user into not updating, and exploit vulnerabilities
once they become known.
3. The user relies on unattended-service-type or similar for automatic upgrades.
4. The attacker can subvert the savannah repository, but cannot forge commit
signatures.
5. The user is at commit A. There is a correctly-signed commit C on, say, core-updates,
such that: C comes after A, but C is not yet in master for the foreseable future.
Method:
6. The attacker subverts savannah, replacing the tip of 'master' with 'C'.
To avoid detection, this subverted master is only served to the targetted users.
7. The targetted users' systems' unattended-service-type
do their equivalent of "guix pull && guix system reconfigure ...".
8. The targetted systems are now on core-updates, which does not receive timely
security updates.
9. On future automatic upgrades, the users' systems will stay on core-updates,
without any obvious indication something is wrong. (Aside from recompilations,
maybe the user's machine has 40GiB RAM, dozens of processors and sits in some
data centre where the user won't notice the sound of the fans.)
10. A vulnerability is discovered (and fixed) and there is a blog post or something!
The attacker is late to the party.
11. Unfortunately for the user, the automatic upgrade does not fix the vulnerability
on the user's system, as vulnerabilities are not patched on core-updates.
12. The attacker reads the blog post about the vulnerability on their own leisure,
and can take all time they need to exploit the users' systems.
Proposal for a fix:
13. Find a volunteer to actually implement this.
14. When creating branches that do not receive timely security updates,
such as wip-gnome, core-updates and staging, add a line
Authentication-Allow-Automatic-Follow: no (core-updates)
to the commit message.
15. When updating guix from a commit A to commit B, additionally verify
whether there exists a path from A to B that does _not_ have a
Authentication-Allow-Automatic-Follow: no [branch]
line. If no such path exists, bail out and tell the user something
like:
error: Refusing to switch to the branch 'branch'!
This usually means someone is trying to trick you into
not receiving timely security updates! Please report this
incident to #guix on freenode, or at bug-guix@gnu.org.
It is safe to simply run "guix pull" again later.
16. If there is a path from A to B that _does_ have a
Authentication-Allow-Automatic-Follow: no [branch]
line, and another path that does _not_ have such a line,
that means the branch has been merged, which is totally fine,
so no error message is required in that case.
17. This proposal assumes the attacker eventually gives up,
such that "guix pull" will work again before a vulnerability
is found (and exploited) on 'master'.
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism?
2021-05-01 21:40 bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism? Maxime Devos
@ 2021-05-02 4:09 ` Leo Famulari
2021-05-05 20:34 ` Ludovic Courtès
1 sibling, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2021-05-02 4:09 UTC (permalink / raw)
To: Maxime Devos; +Cc: 48146
On Sat, May 01, 2021 at 11:40:01PM +0200, Maxime Devos wrote:
> Tags: + security
>
> Hi guix,
>
> Consider the following situation:
Check this blog post and The Update Framework's concept of "indefinite
freeze attacks", which I think is what you are describing:
https://guix.gnu.org/en/blog/2020/securing-updates/
https://theupdateframework.io/ (check the "specification")
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism?
2021-05-01 21:40 bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism? Maxime Devos
2021-05-02 4:09 ` Leo Famulari
@ 2021-05-05 20:34 ` Ludovic Courtès
2021-05-06 8:19 ` Maxime Devos
1 sibling, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2021-05-05 20:34 UTC (permalink / raw)
To: Maxime Devos; +Cc: 48146
Hi Maxime,
Maxime Devos <maximedevos@telenet.be> skribis:
> 5. The user is at commit A. There is a correctly-signed commit C on, say, core-updates,
> such that: C comes after A, but C is not yet in master for the foreseable future.
>
> Method:
> 6. The attacker subverts savannah, replacing the tip of 'master' with 'C'.
> To avoid detection, this subverted master is only served to the targetted users.
> 7. The targetted users' systems' unattended-service-type
> do their equivalent of "guix pull && guix system reconfigure ...".
> 8. The targetted systems are now on core-updates, which does not receive timely
> security updates.
> 9. On future automatic upgrades, the users' systems will stay on core-updates,
> without any obvious indication something is wrong. (Aside from recompilations,
> maybe the user's machine has 40GiB RAM, dozens of processors and sits in some
> data centre where the user won't notice the sound of the fans.)
> 10. A vulnerability is discovered (and fixed) and there is a blog post or something!
> The attacker is late to the party.
> 11. Unfortunately for the user, the automatic upgrade does not fix the vulnerability
> on the user's system, as vulnerabilities are not patched on core-updates.
Note that the attacker doesn’t even need to do something as
sophisticated as you describe: they can just tweak the repo such that
the advertised tip of ‘master’ remains today’s commit for some time.
The blog post Leo mentioned discusses this problem and it’s not
addressed per se. If specific users are targeted, as in your scenario,
it could be hard to detect.
But then again, I’d argue it’s beyond our threat model: there are other
ways, possibly easier, to target individuals.
If we assume the attacker is not targeting specific individuals but
rather the whole user base, the attack can still be carried out but it
wouldn’t go undetected for long. The “reference state log” mentioned in
the blog post could help.
> Proposal for a fix:
> 13. Find a volunteer to actually implement this.
> 14. When creating branches that do not receive timely security updates,
> such as wip-gnome, core-updates and staging, add a line
>
> Authentication-Allow-Automatic-Follow: no (core-updates)
>
> to the commit message.
> 15. When updating guix from a commit A to commit B, additionally verify
> whether there exists a path from A to B that does _not_ have a
>
> Authentication-Allow-Automatic-Follow: no [branch]
>
> line. If no such path exists, bail out and tell the user something
> like:
>
> error: Refusing to switch to the branch 'branch'!
>
> This usually means someone is trying to trick you into
> not receiving timely security updates! Please report this
> incident to #guix on freenode, or at bug-guix@gnu.org.
>
> It is safe to simply run "guix pull" again later.
> 16. If there is a path from A to B that _does_ have a
>
> Authentication-Allow-Automatic-Follow: no [branch]
>
> line, and another path that does _not_ have such a line,
> that means the branch has been merged, which is totally fine,
> so no error message is required in that case.
It’s an interesting idea. It addresses the scenario you described
(redirecting users to a different branch) but it doesn’t address the
more general indefinite freeze attack. I’m not sure it’s worth focusing
on this special case. Something like the “reference state log” would
help address the general case.
Thoughts?
Thanks for thinking through it!
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism?
2021-05-05 20:34 ` Ludovic Courtès
@ 2021-05-06 8:19 ` Maxime Devos
0 siblings, 0 replies; 4+ messages in thread
From: Maxime Devos @ 2021-05-06 8:19 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 48146
[-- Attachment #1: Type: text/plain, Size: 5173 bytes --]
Ludovic Courtès schreef op wo 05-05-2021 om 22:34 [+0200]:
> Hi Maxime,
>
> Maxime Devos <maximedevos@telenet.be> skribis:
>
> > 5. The user is at commit A. There is a correctly-signed commit C on, say, core-updates,
> > such that: C comes after A, but C is not yet in master for the foreseable future.
> >
> > Method:
> > 6. The attacker subverts savannah, replacing the tip of 'master' with 'C'.
> > To avoid detection, this subverted master is only served to the targetted users.
> > 7. The targetted users' systems' unattended-service-type
> > do their equivalent of "guix pull && guix system reconfigure ...".
> > 8. The targetted systems are now on core-updates, which does not receive timely
> > security updates.
> > 9. On future automatic upgrades, the users' systems will stay on core-updates,
> > without any obvious indication something is wrong. (Aside from recompilations,
> > maybe the user's machine has 40GiB RAM, dozens of processors and sits in some
> > data centre where the user won't notice the sound of the fans.)
> > 10. A vulnerability is discovered (and fixed) and there is a blog post or something!
> > The attacker is late to the party.
> > 11. Unfortunately for the user, the automatic upgrade does not fix the vulnerability
> > on the user's system, as vulnerabilities are not patched on core-updates.
>
> Note that the attacker doesn’t even need to do something as
> sophisticated as you describe: they can just tweak the repo such that
> the advertised tip of ‘master’ remains today’s commit for some time.
That would be the ‘indefinite freeze attack’.
unattended-service-type keeps a log somewhere I think? If for some reason
the (very attentive) user decides to look at the log, they might find it suspicious
that the same "guix" store item is used everytime, and the attack could be detected.
Diverting the user to a branch that is occassionally updated wouldn't raise
such warnings.
(excerpt from my log) # I need to fix my configuration ...
guix time-machine: error: Git error: failed to connect to localhost: Connection refused
[2021-05-03T16:10:19+0200] starting upgrade...
command "/gnu/store/6nfv48k5cjlg0d3my6i6mgzy0vqnd7g8-guix-1.2.0-21.4dff6ec/bin/guix" "time-machine" "-C" "/gnu/store/pm2ra4xkmahca79vpcjk8q0blxpi8pza-channels.scm" "--" "system" "reconfigure"
"/gnu/store/a01pi7yx4zw88cijfr3ml4hl2pn29ncz-butterfly-config.scm" failed with status 1
guix time-machine: error: Git error: failed to connect to localhost: Connection refused
[2021-05-05T12:03:56+0200] starting upgrade...
command "/gnu/store/6nfv48k5cjlg0d3my6i6mgzy0vqnd7g8-guix-1.2.0-21.4dff6ec/bin/guix" "time-machine" "-C" "/gnu/store/pm2ra4xkmahca79vpcjk8q0blxpi8pza-channels.scm" "--" "system" "reconfigure"
"/gnu/store/a01pi7yx4zw88cijfr3ml4hl2pn29ncz-butterfly-config.scm" failed with status 1
(end of excerpt)
The ‘indefinite freeze attack’ is a real attack, but not what I'm describing here.
> The blog post Leo mentioned discusses this problem and it’s not
> addressed per se. If specific users are targeted, as in your scenario,
> it could be hard to detect.
>
> But then again, I’d argue it’s beyond our threat model: there are other
> ways, possibly easier, to target individuals.
‘We’ can extend the threat model and further restrict how an attacker could
target individuals or groups. If you know of easier methods to target
individuals, please tell, maybe ‘we’ can patch guix to thwart them as well.
The existence of easier attack methods shouldn't stop us from stopping the
more complicated and/or difficult attack methods.
> If we assume the attacker is not targeting specific individuals but
> rather the whole user base, the attack can still be carried out but it
> wouldn’t go undetected for long.
I would prefer that the attack cannot be carried out _at all_.
Requiring "guix pull --allow-downgrades" after a diversion attack
doesn't seem ideal.
> The “reference state log” mentioned in the blog post could help.
> It’s an interesting idea. It addresses the scenario you described
> (redirecting users to a different branch) but it doesn’t address the
> more general indefinite freeze attack.
I see ‘redirecting users to a branch they shouldn't use’ as a separate attack
from the ‘indefinite freeze attack’. My proposed attack method was a mixture
of both.
The general ‘indefinite freeze attack’ doesn't seem solvable, but the more
specific related attack ‘redirecting users to a branch they shouldn't
use’ _is_ solvable. Not being able to solve the complete problem shouldn't
stop ‘us’ from solving parts of the problem.
> I'm not sure it's worth focusing on this specific case.
I don't see how we could solve the ‘indefinite freeze attack’ in its full
generality, but this specific case seems solvable.
> Something like the “reference state log” would
> help address the general case.
>
> Thoughts?
I need to take a look at what this ‘reference state log’ is.
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-06 8:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-01 21:40 bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism? Maxime Devos
2021-05-02 4:09 ` Leo Famulari
2021-05-05 20:34 ` Ludovic Courtès
2021-05-06 8:19 ` Maxime Devos
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).