guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

36/66: programming-2022: Clarify intro commits and downgrade protection.

From: Ludovic Courtès
Subject: 36/66: programming-2022: Clarify intro commits and downgrade protection.
Date: Wed, 29 Jun 2022 11:32:01 -0400 (EDT) 
civodul pushed a commit to branch master
in repository maintenance.

commit 97b4ebe6e7f7b5beafa3f0e2c65a370c8e08738b
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sat Jan 29 11:36:24 2022 +0100

    programming-2022: Clarify intro commits and downgrade protection.
    
    * doc/programming-2022/security.sbib: Add reference.
    * doc/programming-2022/supply-chain.skb: Tweak wording.
    (Establishing Trust): Clarify that only descendants of the introductory
    commits are valid, as per <https://issues.guix.gnu.org/53608>.
    (Downgrade Attacks): Mention branch teleport attacks that this does not
    protect against.
---
 doc/programming-2022/security.sbib    |  7 ++++
 doc/programming-2022/supply-chain.skb | 73 +++++++++++++++++++++--------------
 2 files changed, 52 insertions(+), 28 deletions(-)

diff --git a/doc/programming-2022/security.sbib 
b/doc/programming-2022/security.sbib
index 1a283e9..500966e 100644
--- a/doc/programming-2022/security.sbib
+++ b/doc/programming-2022/security.sbib
@@ -289,6 +289,13 @@ Thayer")
   (year "2021")
   (url "https://github.com/cryptidtech/git-cryptography-protocol";))
 
+(misc devos2021:diverted
+  (author "Maxime Devos")
+  (year "2021")
+  (month "May")
+  (url "https://issues.guix.gnu.org/48146";)
+  (title "Getting diverted to non-updated branches: a limitation of the 
authentication mechanism?"))
+
 (article peisert2021:solarwinds
   (author "S. Peisert, B. Schneier, H. Okhravi, F. Massacci, T. Benzel, C. 
Landwehr, M. Mannan, J. Mirkovic, A. Prakash, J. Michael")
   (journal "IEEE Security & Privacy")
diff --git a/doc/programming-2022/supply-chain.skb 
b/doc/programming-2022/supply-chain.skb
index 6dac3cb..2630928 100644
--- a/doc/programming-2022/supply-chain.skb
+++ b/doc/programming-2022/supply-chain.skb
@@ -425,8 +425,8 @@ root of the package dependency graph, we have the GNU C 
Library (glibc),
 the GNU Compiler Collection (GCC), the GNU Binary Utilities (Binutils),
 and the GNU command-line utilities (Coreutils, grep, sed, Findutils,
 etc.)—all this written in C and C++.  How does one build the first GCC
-though?  Historically, distributions such as Debian would rely on
-previously-built binaries to build the new one: when GCC is upgraded, it
+though?  Historically, distributions such as Debian would informally rely on
+previously-built binaries to build the new ones: when GCC is upgraded, it
 is built using GCC as available in the previous version of the
 distribution.])
         
@@ -487,7 +487,7 @@ question has to be approached from a different angle.])
 
       (p [Guix consists of source code for the tools as well as package
 definitions that make up the GNU/Linux distribution.  All this code is
-maintained under version control in a Git repository,(footnote (ref :url 
"https://git-scm.com";)).
+maintained under version control in a Git repository.
 To update Guix
 and its package collection, users run ,(tt [guix pull])—the equivalent
 of ,(tt [apt update]) in Debian.  When users run ,(tt [guix pull]), what
@@ -680,7 +680,7 @@ authorization invariant?])
         (image :file "images/commit-graph-intro.pdf"))
 
       (p [We solve this bootstrapping issue by defining ,(emph [channel 
introductions]).
-Previously, one would identify a channel simply by its URL.  Now, when
+Previously, one would identify a channel solely by its URL.  Now, when
 introducing a channel to users, one needs to provide an additional piece
 of information: the first commit where the authorization invariant
 holds, and the fingerprint of the OpenPGP key used to sign that commit
@@ -688,16 +688,18 @@ holds, and the fingerprint of the OpenPGP key used to 
sign that commit
 but it provides an additional check).])
 
       (p [Consider the commit graph on ,(numref :text [Figure] :ident
-"fig-commit-graph-intro").  On this figure, ,(it [B]) is the introduction 
commit.  Its
-ancestors, such as ,(it [A]), are considered authentic.  To authenticate, ,(it 
[C]),
-,(it [D]), ,(it [E]), and ,(it [F]), we check the authorization invariant.])
+"fig-commit-graph-intro").  On this figure, ,(it [B]) is the ,(emph 
[introductory commit]).  Its
+ancestors, such as ,(it [A]), are considered authentic.  To authenticate ,(it 
[C]),
+,(it [D]), ,(it [E]), and ,(it [F]), we check the authorization
+invariant.  Commits ,(it [G]) and ,(it [H]) are considered inauthentic
+because they are not descendants of the introductory commit, ,(it [B]).])
 
       (p [As always when it comes to establishing trust, distributing
 channel introductions is very sensitive.  The introduction of the
 official ,(tt [guix]) channel is built into Guix.  Users obtain it when
-they install Guix the first time.  Installation instructions instruct
+they install Guix the first time.  Installation instructions tell
 users to verify the provided OpenPGP detached signature on the tarball
-or ISO installation image they download.  This reduces chances of
+or ISO installation image they download.  This reduces the chances of
 getting the “wrong” Guix, following a trust-on-first-use (TOFU)
 approach.])
 
@@ -741,18 +743,16 @@ made by someone who is not in ,(tt 
[.guix-authorizations]).  To address
 this, someone publishing a fork advertises a new introduction for their
 fork, pointing to a different starting commit.])
 
-      (p [Last, channel introductions give a ,(emph [point of
+      ;; XXX: Pointless paragraph?
+      #;(p [Last, channel introductions give a ,(emph [point of
 reference]).  Assume an attacker attempts a ,(emph [teleport attack]) by
 modifying branch references on the server hosting the official
-repository ,(ref :bib 'torresarias2016:omitting).  They could change
-branch references so they point to unrelated commits, such as commits on
-an “orphan” branch that do not share any history with the “official”
-branches, but in that case, authentication will fail as it stumbles upon
-the first unauthorized commit made by the attacker.  In ,(numref :text
-[Figure] :ident "fig-commit-graph-intro"), the red branch with commits
-,(it [G]) and ,(it [H]) cannot be authenticated because it starts from
-,(it [A]), which lacks ,(tt [.guix-authorizations]) and thus fails the
-authorization invariant.]))
+repository so they point to commits of their choice ,(ref :bib
+'torresarias2016:omitting).  For such a change to (potentially) go
+undetected, the attacker must choose commits that (1) are descendants of
+the introductory commit, and (2) satisfy the authorization invariant.
+In other words, the attacker may only divert users to a development
+branch published by the project developers.]))
    
    (chapter :title [Downgrade Attacks] :ident "downgrade"
       
@@ -772,22 +772,24 @@ describe]) command prints that information:]
 
      (prog :class "small" :line #f [
 $ guix describe
-Generation 149  Jun 17 2020 20:00:14    (current)
-  guix 8b1f7c0
+Generation 201  Jan 12 2022 18:15:13    (current)
+  guix 0052c3b
     repository URL: https://git.savannah.gnu.org/git/guix.git
     branch: master
-    commit: 8b1f7c03d239ca703b56f2a6e5f228c79bc1857e
+    commit: 0052c3b0458fba32920a1cfb48b8311429f0d6b5
 ])
 
-[Thus, ,(tt [guix pull]), once it has retrieved the latest commit of the
-selected branch, can verify that it is doing a ,(emph [fast-forward update]) in
+[In other words, the ,(tt [guix]) command being used was built
+from commit ,(tt [0052c3b…]) of the official Git repository.
+Once ,(tt [guix pull]) has retrieved the latest commit of the
+selected branch, it can thus verify that it is doing a ,(emph [fast-forward 
update]), in
 Git parlance—just like ,(tt [git pull]) does, but compared to the
 previously-deployed Guix.  A fast-forward update is when the new commit
 is a descendant of the current commit.  Going back to the figure above,
 going from commit ,(it [A]) to commit ,(it [F]) is a fast-forward update, but 
going
 from ,(it [F]) to ,(it [A]) or from ,(it [D]) to ,(it [E]) is not.])
 
-      (p [Not doing a fast-forward update would mean that the user is
+      (p [Doing a non-fast-forward update would mean that the user is
 deploying an older version of the Guix currently used, or deploying an
 unrelated version from another branch.  In both cases, the user is at
 risk of ending up installing older, vulnerable software.  By default
@@ -795,6 +797,21 @@ risk of ending up installing older, vulnerable software.  
By default
 protecting from roll-backs.  Users who understand the risks can override
 that by passing ,(tt [--allow-downgrades]).])
 
+      (p [This does not protect against all forms of ,(emph [branch
+teleport attacks]) as described by Torres-Arias ,(emph [et al.]) ,(ref
+:bib 'torresarias2016:omitting).  Specifically, an attacker with access
+to the server hosting the Git repository could modify the reference of
+the ,(tt [master]) branch so that it points to an existing development
+branch that derives from ,(tt [master]).  Users running ,(tt [guix
+pull]) would upgrade to that branch without problems—it is a
+fast-forward update.  Development branches are usually infrequently
+merged with ,(tt [master]) and do not receive package security updates
+very often; consequently this attack could lead users to install
+outdated packages ,(ref :bib 'devos2021:diverted).  Users may not notice
+the attack because, as long as the branch is active, ,(tt [guix pull])
+would still retrieve new changes.  However, it would be difficult to
+hide from developers, which makes the attack less attractive.])
+
       (p [Downgrade prevention has been extended to system deployment.
 When deploying a system with ,(tt [guix system reconfigure]) or a fleet
 or systems with ,(tt [guix deploy]), the currently used channels are
@@ -1021,11 +1038,11 @@ that commit.  Additional options allow users to 
specify, for instance,
 the name of the branch where OpenPGP keys are to be found.])
 
         (p [This command can also authenticate ,(emph [historical
-commits])—signed commits that were made ,(emph [before]) a ,(tt
+commits])—signed commits made ,(emph [before]) a ,(tt
 [.guix-authorizations]) file was introduced in the repository.  In that
 mode, users must provide an authorization file that represents the
 static set of authorizations for all those commits whose parent(s) lack
-,(tt [.guix-authorizations]).  We found it useful to retroactively
+,(tt [.guix-authorizations]).  We found it useful to retroactively 
authenticate the
 history of the Guix repository, where commit signing became compulsory
 several years before this authentication mechanism was in place.])
         
@@ -1035,7 +1052,7 @@ users could be gathered in a single place, once for all, 
such that users
 do not have to specify them every time.  Communicating introductions
 could also be simplified: the two twenty-byte strings above could be
 represented as a single 56-character base64 string, or as a QR code.
-For broad acceptance, the best option would be to integrate the
+For broad adoption, the best option would be to integrate the
 functionality in Git proper.]))
 
       (section :title [Evaluation]
reply via email to
[Prev in Thread] Current Thread [Next in Thread]