LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

security of distributing builds

security of distributing builds

Posted Mar 6, 2008 6:07 UTC (Thu) by pjm (subscriber, #2080)
Parent article: Proposal: Fedora@Home 

There are some obvious security issues with trusting the build results of random users.  The
problem with building is that it takes about as long to check that the result is correct as it
does to do the work yourself.

The only workable scheme that springs to mind is to limit the users to those who can already
subvert the binaries by other means, which is (by design) quite a small number of people.
(Note that subverting a binary is harder to detect than subverting source code, so should
ideally exclude people whose only other means of subverting binaries is by subverting source
code.)

You can't use a trust criterion of "the person has always given correct builds in the past
when we've checked the results", because it's still worthwhile for a black-hat to send N
corrects builds followed by 1 incorrect build, and one incorrect build of one object file
(indeed function) is all that's necessary.

A criterion of "N people give the same result" is problematic because of (a) need N large
enough to reduce risk of collusion, whereas (b) it requires N-fold duplication of work (see
also the objection about increased environmental cost of using extra CPU cycles).

(Log in to post comments)

Security of distributing builds

Posted Mar 6, 2008 12:07 UTC (Thu) by midg3t (subscriber, #30998) [Link]

No-one would seriously entertain the idea of allowing untrusted builds into the official software archive.

There are many cases when the potential for bad data to be returned is not much of a problem. For instance the grid could be used as an unofficial build farm with on-commit autobuilds. If there's a strange build failure then the first step would be to reproduce that failure in a similar environment. The release builds would still be done on more secure (controlled) machines.

Similarly for scientific applications the aim might be to look for outliers - eg. how SETI works - once again "interesting" results are always reprocessed in a controlled environment.

security of distributing builds

Posted Mar 20, 2008 7:22 UTC (Thu) by robbe (guest, #16131) [Link] 

> There are some obvious security issues with trusting the build results of random users.

I, too, surmised from the name "Fedora@Home" that they are planning to offload some Fedora
build work onto users -- but nowhere in the announcement is this actually proposed. Seems just
to be a suboptimal project title...

security of distributing builds

Posted Mar 24, 2008 10:13 UTC (Mon) by pjm (subscriber, #2080) [Link] 

I'm not sure what “announcement” robbe means, but the fourth paragraph of the parent article
mentions “Fedora users … contributing CPU
cycles towards things like builds…”; this is what I was replying to.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds