[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
16/66: ccs-2021: Tweak "Related Work".
|
From: |
Ludovic Courtès |
|
Subject: |
16/66: ccs-2021: Tweak "Related Work". |
|
Date: |
Wed, 29 Jun 2022 11:31:59 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 807601bde27ac01be68595f20f764baac20f94c2
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu May 6 11:41:50 2021 +0200
ccs-2021: Tweak "Related Work".
Part of the changes were indirectly suggested by Maxime Devos in
<https://issues.guix.gnu.org/48146>.
---
doc/ccs-2021/supply-chain.skb | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index 685a725..bb4fad4 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -935,24 +935,26 @@ similar work that we are aware of in these two areas.])
(p [The Update Framework ,(ref :bib 'samuel2010:survivable) (TUF)
is a reference for secure update systems, with a well-structured
specification ,(ref :bib 'cappos2020:tuf-spec) and a number of
-implementations. Many of its goals are shared by Guix. Not all the
-attacks it aims to protect against (Section 1.5.2 of the spec) are
-addressed by what’s presented in this post: ,(it [indefinite freeze
-attacks]), where updates never become available, are not addressed
-,(emph [per se]) (though easily observable), and ,(emph [slow retrieval
-attacks]) are not addressed either. The notion of ,(emph [role]) is
-also something currently missing from the Guix authentication model,
-where any authorized committer can touch any files, though the model and
-,(tt [.guix-authorizations]) format leave room for such an extension.])
+implementations. Many of its goals are shared by Guix. Among the
+attacks TUF aims to protect against (Section 1.5.2 of the spec), the
+downgrade-prevention mechanism described in ,(numref :text [Section]
+:ident "downgrade") does not, ,(it [per se]), address ,(it [indefinite
+freeze attacks]) (more on that below).])
(p [However, both in its goals and system descriptions, TUF is
biased towards systems that distribute binaries as plain files with
-associated meta-data. That creates a fundamental impedance mismatch
-with the functional deployment model we described in ,(numref :text
-[Section] :ident "background"). As an example, attacks such as ,(emph
+associated metadata. That creates a fundamental impedance mismatch with
+the functional deployment model we described in ,(numref :text [Section]
+:ident "background"). As an example, attacks such as ,(emph
[fast-forward attacks]) or ,(emph [mix-and-match attacks]) do not apply
in the context of Guix; likewise, the ,(emph [repository]) depicted in
-Section 3 of the spec has little in common with a Git repository.])
+Section 3 of the spec has little in common with a Git repository. The
+spec also defines a notion of ,(emph [role]), but those roles do not
+match our distribution model. With the authentication model described
+in ,(numref :text [Section] :ident "authenticating"), any authorized
+committer can touch any file; the model and the ,(tt
+[.guix-authorizations]) format leave room for per-file authorizations,
+which could be a way to define fine-grain roles in this context.])
(p [Developers of OPAM, the package manager for the OCaml
language, adapted TUF for use with their Git-based package repository,
@@ -990,9 +992,11 @@ users to pull an older commit or an unrelated commit. As
written above,
would fail to detect cases where metadata modification does not yield a
rollback or teleport, yet gives users a different view than the intended
one—for instance, a user is directed to an authentic but different
-branch rather than the intended one. The “secure push” operation and
-the associated ,(emph [reference state log]) (RSL) the authors propose
-would be an improvement.]))
+branch rather than the intended one. This potentially allows for ,(it
+[indefinite freeze attacks]), though these would likely be quickly
+detected. The “secure push” operation and the associated ,(emph
+[reference state log]) (RSL) the authors propose would be an
+improvement.]))
(chapter :title [Conclusion]
:ident "conclusion"
- 09/66: ccs-2021: Write conclusion., (continued)
- 09/66: ccs-2021: Write conclusion., Ludovic Courtès, 2022/06/29
- 21/66: icse-2022: Link to "Git Cryptography Protocol"., Ludovic Courtès, 2022/06/29
- 29/66: programming-2022: Adjust to <Programming> style., Ludovic Courtès, 2022/06/29
- 31/66: programming-2022: Expand "Related Work"., Ludovic Courtès, 2022/06/29
- 32/66: programming-2022: Use a monospace font for code snippets., Ludovic Courtès, 2022/06/29
- 08/66: ccs-2021: Capitalize section titles., Ludovic Courtès, 2022/06/29
- 10/66: ccs-2021: Improve "Rationale" section., Ludovic Courtès, 2022/06/29
- 13/66: ccs-2021: Proof-read and tweak., Ludovic Courtès, 2022/06/29
- 15/66: ccs-2021: Typos, hyphenation, and other improvements., Ludovic Courtès, 2022/06/29
- 14/66: ccs-2021: Update ACM categories., Ludovic Courtès, 2022/06/29
- 16/66: ccs-2021: Tweak "Related Work".,
Ludovic Courtès <=
- 17/66: ccs-2021: Give example authentication throughput., Ludovic Courtès, 2022/06/29
- 18/66: ccs-2021: Prepare for ICSE resubmission., Ludovic Courtès, 2022/06/29
- 19/66: icse-2022: Add CCS reviews., Ludovic Courtès, 2022/06/29
- 20/66: icse-2022: Mention sigstore., Ludovic Courtès, 2022/06/29
- 35/66: programming-2022: Mention prior work upfront in the intro., Ludovic Courtès, 2022/06/29
- 36/66: programming-2022: Clarify intro commits and downgrade protection., Ludovic Courtès, 2022/06/29
- 44/66: cise-2022: Remove unused procedures., Ludovic Courtès, 2022/06/29
- 45/66: programming-2022: Add diff document., Ludovic Courtès, 2022/06/29
- 47/66: programming-2022: Add README.md for artifact evaluation., Ludovic Courtès, 2022/06/29
- 22/66: icse-2022: Cite SolarWinds and Executive Order., Ludovic Courtès, 2022/06/29