Gentoo Updater: Find out if it passes the TUF Threat Model

[adrelanos]

The Update Framework (TUF) - Attacks and Weaknesses: https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md http://www.webcitation.org/6F7Io2ncN

(Made by similar people who created this research: http://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html which resulted as far as I understand in greatly improved package manager security in many distributions.)

Let's see how Gentoo scores there.

I am going to ask the TUF people, who are in my experience very friendly and helpful, for their opinion on their mailing list: https://groups.google.com/forum/#!forum/theupdateframework

Your subscription request is pending.

Probably soon.

[adrelanos]

http://devmanual.gentoo.org/general-concepts/manifest/ says ebuild signing is supported, but not yet mandatory.

[adrelanos]

More info: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=3#webrsync-gpg

Older forum topic: http://forums.gentoo.org/viewtopic-p-6891626.html

Somehow confused me more than it helped. You know any more recent list of what has been implemented and what not?

[martinholovsky]

Nope, I even ask Gentoo developers on meeting and outcome is that ebuilds are not signed now. If you like to I can try to contact some of them if there is any plan to improve this or we can raise it as feature request.

[adrelanos]

Yes, please do that.

[adrelanos]

It's also unclear to me how bad it is if ebuilds aren't signed. As long as the portage tree is signed and verified, it could be not an big issue, because then perhaps ebuilds are implicitly verified already (because maybe portage protects all the hash sums of all the files).

Best would be a list of attacks with comments if these are circumvented at the moment. (See TUF threat model.) With an overview, what advantage signed ebuilds would provide. Ideally a comparison table or so.

[adrelanos]

Your subscription request is pending.

Probably soon.

Sorry for the delay. Got some issues with my mail account. It has been posted now and is in moderation queue.

[adrelanos]

Here it is. They answered already.

Does Gentoo's updater pass the TUF threat model?: https://groups.google.com/forum/#!topic/theupdateframework/g-xQWq5aKpU

[adrelanos]

The answer to the original question of this ticket Does Gentoo's Updater pass TUF's threat model is probably no.

Quote Justin Cappos (references: professor; was involved in writing a paper that resulted in a grave improvement of package manager security. Probably a lot more great stuff, I am not even aware of. But these references are already sufficient for my point "reason enough to take him serious".):

I took a quick look and think they still have the same basic signature / metadata setup as before. They seem to be signing the package metadata (with a GPG key), but do not seem to prevent rollback attacks, timeliness attacks, or handle key compromises securely.

In my interpretation, this is a very important security issue. Even more so when updating over Tor. A man-in-the-middle could run a rollback (downgrade) attack, then exploit the downgraded, vulnerable software. No matter what great hardening stuff Gentoo does, as long as this isn't fixed, I'd rather avoid Gentoo for anything security critical.

Vladimir Diaz (TUF) said he's going to contact Gentoo developers. Maybe they're interested to fix this and this will fix itself in time.

[adrelanos]

@martincmelik and I thought to solve this, one could modify emerge-webrsync or write an alternative to emerge-webrsync so it uses TUF.

emerge-webrsync source code: https://github.com/gentoo/portage/blob/master/bin/emerge-webrsync

[adrelanos]

Tagging reported-upstream, because...

Vladimir Diaz (TUF) said he's going to contact Gentoo developers. Maybe they're interested to fix this and this will fix itself in time.

[adrelanos]

https://archives.gentoo.org/gentoo-portage-dev/message/94425239fcaedcee6c49ef398f12aa85

https://phabricator.whonix.org/T212#5691