Security [LWN.net]

Code authenticity checking

By Nathan Willis
May 1, 2013

Cryptographically signed binary packages are mainstay of modern Linux distributions, used for verifying packages against both tampering and accidental corruption. But as ever fewer users need to compile their software from source, it is possible to forget that verifying the authenticity and integrity of binary packages depends first on the packagers' ability to verify the upstream source code. In April, Allan McRae posted an entry on his blog that looked at the verifiability of the source code releases made by a number of well-known projects, with less-than-perfect results.

McRae is a core Arch Linux developer, and he undertook his verifiability survey because Arch's packaging tool makepkg recently gained support for checking the PGP signatures of source files. Naturally, such verification is only possible when the source bundle includes a PGP signature, but McRae also looked at four other interrelated factors: whether or not the signing key can be easily verified as authentic, whether checksums for the source files are available, whether the checksums are signed, and whether the checksums are available on a different server than the one hosting the source files. This last criterion is a guard against a server compromise; if an attacker can replace the source files, he or she can also replace the checksum with one that matches the replacement source.

To provide a meaningful sample population for his survey, McRae looked at 63 "core" packages common to most Linux distributions. "For me, that basically means the packages required to build a fairly minimal booting system. This is essentially the package list from Linux From Scratch with a few additions that I see as needed …" His results are presented in a color-coded table; green cells indicate that a package meets all of the verification criteria, red indicates that no verification criteria pass, and yellow indicate some but not all criteria are met. Of the 63 packages examined, ten offered no means of verification and 14 others offered only partial verification.

The packages offering no verification mechanism are file, flex, iana-etc, isl, kbd, libarchive, pkg-config, procps, psmisc, and which. Those packages that partially meet the measured criteria fall into two basic categories, those that provide PGP signatures but have a difficult-to-verify key (gawk, groff, patch, sed, sudo, sysvinit, texinfo, and xz), and those that provide their checksum data on the same server as their files (bzip2, perl, tzdata, and zlib). In addition, gmp and less fell somewhere in between, providing a PGP signature, but making the public key or key ID available only on the same server as the source release.

To be sure, McRae's specific criteria and red/yellow/green assessments draw some rather arbitrary lines—as he observes, several of the projects have other means of verification available, and he admits that the definition of a "readily verifiable" key includes keys signed by keys that he trusts. But the aggregate picture is the important one: most of the packages are green (which is good news), but roughly 15% of them offer no source verification whatsoever (which is far from good). He also notes that the picture seems to rapidly deteriorate "as you move further away from this core subset of packages needed for a fairly standard Linux system".

Best practices

McRae's post was picked up on the oss-security mailing list, where the talk turned to how to establish a set of common guidelines for releasing source code with verifiable authenticity. Alan Coopersmith commented that X.org has received complaints asking it to do more, but without concrete suggestions. "If there was a common standard, with instructions, we'd be far more likely to spend the time to adopt it, than just a 'make signatures appear somewhere, in an unspecified format'". Eric H. Christensen concurred, saying he was interested in establishing a "best practices" recommendation for Red Hat—but, he asked, what really constitutes the best way to disseminate releases? A recommendation would advise against using MD5 for checksumming, he said, and although he favors PGP for signatures, perhaps it has its drawbacks as well.

Indeed, Alistair Crooks replied with a lengthy list of questions one might ask about a PGP-signed release, addressing everything from the key management practices employed by the signing entity to the options specified when generating the key itself (such as whether it is an RSA or DSA key and whether or not it requires a passphrase). A PGP signature proves only that a person with access to the signing key attests that the signed message had a particular value at a particular time, he argued, which does not provide much authentication:

So, all in all, what you have is a digest, signed by someone who knows the key, or who has access to the creds (if any) for the key, or who has found out the key creds, albeit with timestamp info for when the signature took place.

I'm not sure what using PGP gains us?

But the majority seemed to feel that PGP in fact provides quite a few gains. Nicolas Vigier and Florian Weimer both commented that key-continuity over multiple releases safeguards against a man-in-the-middle attacker replacing a release. Weimer noted that "hosting sites have been compromised, or serve their content exclusively over a mirror network which literally anyone can join." Kurt Seifried agreed, but acknowledged that the "real problem" with PGP is the cost of implementing it:

Key creation/storage/management/backup/etc is all non trivial and not free. Is the cost of this worth it?

I think if we are going to push this we need to come up with a pretty good set of guidelines that are easy to follow and implement.

Daniel Kahn Gillmor responded that even a simple "the release manager has the OpenPGP key for the project on the keyring of her personal development machine" workflow raises the bar for would-be attackers and would constitute an improvement for the numerous projects that do not currently sign their releases at all. But he still advocated producing guidelines:

I don't want us to spec out a byzantine ruleset that would put people off from *starting* to sign their releases. Maybe such a policy could break out the sophisticated stuff into the form of "baseline", "level 1", "level 2", etc.

That way we could encourage all projects to get to the "baseline" (which should be short and simple) without requiring them to "level up" right away (to offline key storage, key transition statements, etc).

He pointed to the existing OpenPGP best practices page at the Debian Grimoire wiki as an example.

For his part, McRae had comparatively simple goals in mind:

Despite PGPs limitations, what I really like to see when a release is made is a PGP signed release announcement email to the relevant mailing list with decent checksums and the file size in it. Bonus points if that email gets mirrored or at least archived on a different server than the source code. I figure for most open source software, a false release email would be spotted fairly quickly...

Identity cleft

Although a general consensus developed around the idea of crafting a "best practices" recommendation, Crooks's questions about the limitations of PGP signatures raised some valuable points—such as the importance of distinguishing between identity and trust. Some mistook his original email for a call to ditch PGP signatures on source releases, since they do not offer absolute security, but Crooks said that was a misinterpretation. "It's a bit disappointing that my advice (in pointing out ways that PGP can be worked around in order to diminish integrity and security) was categorised as an attack on PGP itself - I shall take that as a reminder that I should be more clear in what I write." Rather, he said, he hoped to "warn against the magic 'it's signed, so it's gospel' myth by pointing out the problems of key management."

The crux of Crooks's argument is that a PGP signature should not be trusted just because it is associated with a known identity (person or team of developers). As he elaborated in one message in the ensuing thread:

I don't know if you've ever done one of the key signing parties, where you get handed government id, and that is supposed to define someone's identity. It tells age, name, and ability to keep a dead pan face in front of a camera. It says nothing about how trust-worthy someone is, in the sense that I would compile/run software written by them.

Elsewhere in the same message, he noted:

I know lots of people who write software. Some of their personal lives are train wrecks. Some I wouldn't trust to sit the right way on a toilet seat. But, for various reasons, such as mentoring, peer-programming, peer review, stringent regression tests, personal audits of their work, or because of random audits, etc, I would trust the software they write.

In essence, this is an argument that the signer only earns trust by demonstrating their reliability over time. For individuals, the issue might be the quality of the software (as Crooks discussed above), but to trust the signature on a project's releases, more stringent requirements may be necessary. As he added later: "You actually know very little about the key before and after the signing took place; so you have no way of ascertaining whether the key has been used to sign other things fraudulently."

Add in Crooks's earlier questions about the key options and security on the machines used to sign releases, and proper key management, it would seem, remains an area where there is still work to be done. Crooks did reiterate his support for encouraging PGP signatures on all source releases; he simply cautioned that blind trust in the presence of a signature can lead to a false sense of security.

Then again, a campaign to persuade more upstream software projects to integrate easily-verified PGP signatures and out-of-band checksums into their release process has to start somewhere. There are practical challenges to consider, such as the role that popular hosting providers play in the build and release processes (Stuart Henderson noted that Github and Bitbucket dynamically generate tar archives, which complicates signing releases).

But convincing individual developers and release managers might be the best way to convince hosting services to adapt. Presumably few people enjoy seeing their project marked with the red "No verification available" label. It would certainly be informative to conduct a large-scale examination of McRae's criteria on other popular open source projects. Just over 38% of the core packages McRae examined could not be "readily validated"—a sizable minority, but a minority nonetheless; that gives one hope that the community in general takes source verifiability as a matter worth addressing.

Comments (11 posted)

Brief items

Security quotes of the week

Chase is committed to making your banking experience enjoyable, trouble-free, and, above all, safe. Which is why you should strike your computer with 20 to 25 forceful blows from a pipe wrench as soon as you reach international waters, toss the plastic and metal shards into the sea, and then immediately sink the ship you’re on. And then, once you dive to the sea floor, grab the scattered computer pieces, and shove them all inside living clams, you’ll be able to rest easy knowing you’re banking smarter and safer.

— The Onion (hat tip to Don Marti)

Patent trolls know this and as a result, they sue companies in droves and make settlement demands designed to maximize their financial take while making it cheaper and less painful to settle than to devote the resources necessary to defeat their claims. The current system lets them do so even with claims that are unlikely to prevail on the merits. That is because, whether win lose or draw, the rules effectively insulate trolls from negative consequences except perhaps a lower return than expected from any given company in any given case. They can sue on tenuous claims and still come out ahead. And so the broken system with its attendant leverage allows trolls to extract billions in blackmail from U.S. companies and, in the final analysis, consumers.

— Barnes & Noble pulls no punches (by way of Groklaw)

In the aftermath of the Boston bombings -- cameras were everywhere there -- which while horrendous and tragic, killed and injured fewer people than just a few days of "routine" gun violence here in the USA, we're hearing the predictable calls for vastly expanded government-operated video surveillance networks, even though virtually every study shows that while these systems may be useful in solving crimes after the fact, they are of little to no use in preventing crime or terrorism in the first place. This has proven true even in cities like London, where there's a camera focused on pretty much every individual pimple on each Londoner's face.

In some cities, like New York, the surveillance-industrial complex has its fangs deeply into government for the big bucks. It's there we heard the Police Commissioner -- just hours ago, really -- claim that "privacy is off the table."

— Lauren Weinstein

Comments (15 posted)

Mozilla: Protecting our brand from a global spyware provider

The Mozilla blog reports that Mozilla is using its trademarks to back up a cease-and-desist letter to Gamma International, the maker of the infamous FinFisher surveillance system. "We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy."

Comments (1 posted)

New vulnerabilities

clamav: multiple vulnerabilities

Package(s):

clamav

CVE #(s):

CVE-2013-2020 CVE-2013-2021

Created:

April 30, 2013

Updated:

June 21, 2013

Description:

From the clamav bug tracker entries [1, 2]:

Bug was in handling of UPX-packed executables. When checking for a skewed offset section, it would not rule out a possible skew value that was larger than the size of the PE section. Because of unsigned math, it would cause the resulting expected section size to rollover to exceedingly large values and try inappropriate heap reads.

Problem was in handling of encrypted PDF's. A specially crafted PDF could set a user-controlled length which is then used to allocate heap memory and then read length bytes off of the stack, potentially beyond the size of a static array.

Alerts:

SUSE	SUSE-SU-2014:1571-1	clamav	2014-12-05
Gentoo	201405-08	clamav	2014-05-16
Fedora	FEDORA-2013-10953	clamav	2013-06-21
Fedora	FEDORA-2013-10980	clamav	2013-06-21
openSUSE	openSUSE-SU-2013:0813-2	clamav	2013-05-21
openSUSE	openSUSE-SU-2013:0813-1	clamav	2013-05-21
Fedora	FEDORA-2013-8047	clamav	2013-05-16
Ubuntu	USN-1816-1	clamav	2013-05-03
Mageia	MGASA-2013-0132	clamav	2013-05-02
Mandriva	MDVSA-2013:159	clamav	2013-04-30
openSUSE	openSUSE-SU-2013:0883-1	clamav	2013-06-10
openSUSE	openSUSE-SU-2013:0881-1	clamav	2013-06-10

Comments (none posted)

glibc: denial of service

Package(s):

glibc

CVE #(s):

CVE-2013-1914

Created:

April 25, 2013

Updated:

August 22, 2013

Description:

From the Red Hat advisory:

It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash. (CVE-2013-1914)

Alerts:

Debian-LTS	DLA-165-1	eglibc	2015-03-06
Gentoo	201503-04	glibc	2015-03-08
Scientific Linux	SLSA-2013:1605-2	glibc	2013-12-03
Mageia	MGASA-2013-0340	glibc	2013-11-22
Oracle	ELSA-2013-1605	glibc	2013-11-26
Mandriva	MDVSA-2013:284	glibc	2013-11-25
Mandriva	MDVSA-2013:283	glibc	2013-11-25
Red Hat	RHSA-2013:1605-02	glibc	2013-11-21
Ubuntu	USN-1991-1	eglibc	2013-10-21
openSUSE	openSUSE-SU-2013:1510-1	glibc	2013-09-30
Fedora	FEDORA-2013-15053	glibc	2013-08-22
Mageia	MGASA-2013-0141	glibc	2013-05-09
Mandriva	MDVSA-2013:163	glibc	2013-05-07
Mandriva	MDVSA-2013:162	glibc	2013-05-07
Scientific Linux	SL-glib-20130425	glibc	2013-04-25
Oracle	ELSA-2013-0769	glibc	2013-04-25
CentOS	CESA-2013:0769	glibc	2013-04-24
Red Hat	RHSA-2013:0769-01	glibc	2013-04-24

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):

kernel

CVE #(s):

CVE-2013-3228 CVE-2013-3230 CVE-2013-3231 CVE-2013-3232 CVE-2013-3233 CVE-2013-3234 CVE-2013-3076 CVE-2013-3223 CVE-2013-3225 CVE-2013-1979 CVE-2013-3224 CVE-2013-3222

Created:

April 29, 2013

Updated:

July 19, 2013

Description:

From the Red Hat bugzilla entries:

[CVE-2013-3228]: Linux kernel built with the Asynchronous Transfer Mode(ATM) support is vulnerable to an information leakage flaw. It occurs when doing recvmsg(2) calls on the ATM PVC & SVC sockets.