[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
10/66: ccs-2021: Improve "Rationale" section.
|
From: |
Ludovic Courtès |
|
Subject: |
10/66: ccs-2021: Improve "Rationale" section. |
|
Date: |
Wed, 29 Jun 2022 11:31:58 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit b65de521258726d5db232b615eafa763f37afd7c
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon May 3 12:19:00 2021 +0200
ccs-2021: Improve "Rationale" section.
---
doc/ccs-2021/security.sbib | 6 ++++++
doc/ccs-2021/supply-chain.skb | 35 +++++++++++++++++++++--------------
2 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/doc/ccs-2021/security.sbib b/doc/ccs-2021/security.sbib
index edc7ab3..4f432a1 100644
--- a/doc/ccs-2021/security.sbib
+++ b/doc/ccs-2021/security.sbib
@@ -157,6 +157,12 @@ Thayer")
(year "2021")
(url
"https://github.com/bitcoin/bitcoin/tree/master/contrib/verify-commits";))
+(misc fsf2010:compromise
+ (author "Free Software Foundation")
+ (title "Savannah and www.gnu.org Downtime")
+ (year "2010")
+ (url "https://www.fsf.org/blogs/sysadmin/savannah-and-www.gnu.org-downtime";))
+
#|
(defun skr-from-bibtex ()
"Vaguely convert the BibTeX snippets after POINT to SBibTeX."
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index 0da1814..d1c0b53 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -314,18 +314,26 @@ maintained under version control in a Git repository. To
update Guix
and its package collection, users run ,(tt [guix pull])—the equivalent
of ,(tt [apt update]) in Debian. When users run ,(tt [guix pull]), what
happens behind the scene is equivalent to ,(tt [git clone]) or ,(tt [git
-pull]). There are many ways this can go wrong. An attacker can trick
-the user into pulling code from an alternate repository that contains
-malicious code or definitions for backdoored packages. This is made
-more difficult by the fact that code is fetched over HTTPS from Savannah
-by default. If Savannah is compromised as happened in 2010,(footnote
-[https://www.fsf.org/blogs/sysadmin/savannah-and-www.gnu.org-downtime]),
-an attacker can push code to the Guix repository, which everyone would
-pull. The change might even go unnoticed and remain in the repository
-forever. An attacker with access to Savannah can also reset the main
-branch to an earlier revision, leading users to install outdated
-software with known vulnerabilities—a ,(emph [downgrade attack]). These
-are the kind of attacks we want to protect against.]))
+pull]).])
+
+ (p [There are several ways this update process can lead users to
+run malicious code. An attacker could trick the user into connecting to
+an alternate repository that contains malicious code or definitions for
+backdoored packages. This is made more difficult by the fact that code
+is fetched over HTTPS by default, which allows clients to authenticates
+the server they are connecting to. However, server authentication is of
+no use when the server hosting the repository is compromised, as
+happened to GNU’s Savannah in 2010 ,(ref :bib 'fsf2010:compromise).])
+
+ (p [An attacker who gained access to the server hosting the Guix
+repository with can push code, which every user would then pull. The
+change might even go unnoticed and remain in the repository forever.
+They may also reset the main branch to an earlier revision, leading
+users to install outdated software with known vulnerabilities—a ,(emph
+[downgrade attack]); the attacker may also change the main branch
+reference so it points to a different branch, containing new malicious
+code—a ,(emph [teleport attack]) ,(ref :bib 'torresarias2016:omitting).
+These are the kind of attacks we want to protect against.]))
(chapter :title [Authenticating Git Checkouts]
:ident "authenticating"
@@ -351,8 +359,7 @@ by their cryptographic content hash (SHA-1); the contents
of a revision,
,(it [trees]) in Git parlance, as well as all other kind of data stored
in a Git repository, are all content-addressed.])
- (p [Git supports ,(emph [signed commits]),(footnote
-[https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work]). A signed
+ (p [Git supports ,(emph [signed commits]). A signed
commit includes an additional header containing as ASCII-armored OpenPGP
signature computer over the other headers of the commit. Checkout
authentication requires cryptographically signed commits. By signing a
- 07/66: ccs-2021: Discuss in-toto in "Related Work"., (continued)
- 07/66: ccs-2021: Discuss in-toto in "Related Work"., Ludovic Courtès, 2022/06/29
- 11/66: ccs-2021: Complete introductions., Ludovic Courtès, 2022/06/29
- 25/66: icse-2022: Final (?) tweaks., Ludovic Courtès, 2022/06/29
- 04/66: ccs-2021: Tweak "related work", add proper references., Ludovic Courtès, 2022/06/29
- 09/66: ccs-2021: Write conclusion., Ludovic Courtès, 2022/06/29
- 21/66: icse-2022: Link to "Git Cryptography Protocol"., Ludovic Courtès, 2022/06/29
- 29/66: programming-2022: Adjust to <Programming> style., Ludovic Courtès, 2022/06/29
- 31/66: programming-2022: Expand "Related Work"., Ludovic Courtès, 2022/06/29
- 32/66: programming-2022: Use a monospace font for code snippets., Ludovic Courtès, 2022/06/29
- 08/66: ccs-2021: Capitalize section titles., Ludovic Courtès, 2022/06/29
- 10/66: ccs-2021: Improve "Rationale" section.,
Ludovic Courtès <=
- 13/66: ccs-2021: Proof-read and tweak., Ludovic Courtès, 2022/06/29
- 15/66: ccs-2021: Typos, hyphenation, and other improvements., Ludovic Courtès, 2022/06/29
- 14/66: ccs-2021: Update ACM categories., Ludovic Courtès, 2022/06/29
- 16/66: ccs-2021: Tweak "Related Work"., Ludovic Courtès, 2022/06/29
- 17/66: ccs-2021: Give example authentication throughput., Ludovic Courtès, 2022/06/29
- 18/66: ccs-2021: Prepare for ICSE resubmission., Ludovic Courtès, 2022/06/29
- 19/66: icse-2022: Add CCS reviews., Ludovic Courtès, 2022/06/29
- 20/66: icse-2022: Mention sigstore., Ludovic Courtès, 2022/06/29
- 35/66: programming-2022: Mention prior work upfront in the intro., Ludovic Courtès, 2022/06/29
- 36/66: programming-2022: Clarify intro commits and downgrade protection., Ludovic Courtès, 2022/06/29