Fedora and supply-chain attacks
The specter of more events like the SolarWinds supply-chain attacks is something that concerns many in our communities—and beyond. Linux distributions provide a supply chain that obviously needs to be protected against attackers injecting malicious code into the update stream. This problem recently came up on the Fedora devel mailing list, which led to a discussion covering a few different topics. For the most part, Fedora users are protected against such attacks, which is not to say there is nothing more to be done, of course.
The SolarWinds attacks subverted the normal update mechanism of various tools to install malware on systems throughout much of the US government; the malware then exploited other flaws to get access to email and other data. Huzaifa Sidhpurwala posted a message to the mailing list on June 11 wondering whether the rekor tool might be useful in helping to prevent similar attacks against Fedora. Rekor comes from the sigstore project that was announced by the Linux Foundation back in March.
Sigstore is meant as a mechanism to securely record cryptographic signatures of binaries, packages, container images, and similar build artifacts in a tamper-proof ledger. The project was founded by Red Hat, Google, Purdue University, and the Linux Foundation. The press release announcement outlines the problem being solved:
Very few open source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face on key management, key compromise / revocation and the distribution of public keys and artifact digests. In turn, users are left to seek out which keys to trust and learn steps needed to validate signing. Further problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository. sigstore seeks to solve these issues by utilization of short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs.
While it may well be true that the majority of projects on GitHub, GitLab, and other project-hosting sites are not signing their artifacts, that is not the case for most Linux distributions. For Fedora, RPM packages are signed and those signatures are checked by the DNF package manager. Other distributions have similar mechanisms. But there are still situations where some kind of external log of the signatures might be useful.
For example, if the Fedora signing keys were to ever be compromised or subverted, attackers could use the keys to sign malicious packages, which DNF would happily accept. But that means the attackers need to be positioned such that they can either intercept the DNF traffic (difficult with HTTPS) or tamper with the package repository. Even without a key compromise, a malicious (or compromised) package repository could hold back some updates to try to ensure that vulnerabilities in those packages continue to be present on the client systems. For the official Fedora mirrors, the metalink feature (originally added to Yum, the DNF predecessor) protects users by skipping mirrors that are more than three days behind in keeping up-to-date with the distribution's package updates.
In the posting, Sidhpurwala noted that Linux distributions, "which
are made of thousands of components built from sources
they [don't] even have control over
", are potentially more vulnerable
to supply-chain attacks because of that lack of control.
One way that might start to be addressed is to be able "to ensure that there is
no distribution point tampering of binaries shipped in Fedora
".
He wanted
Fedora developers to start thinking about how a tool like rekor might be
used to help prevent those kinds of problems. It would seem, though, that
there is no huge unfilled hole that an immutable log of package hashes
would solve, though there are use cases where it could perhaps be helpful.
Björn Persson wondered
what "distribution points" were meant: "Repository mirrors? The
master repository? mirrors.fedoraproject.org?
" He noted that
mirrors cannot modify packages (without the key), but that they could
perhaps withhold updates; "Is that a thing that Rekor could
prevent?
" The sigstore web site might have helped answer the latter
question, but it was not usable in his eyes:
On that page I can't see anything but a page header and a pointless animation. Even the text that is right there in the HTML code is hidden. Instead it wants me to execute a bunch of Javascript from at least three different domains. When a website expects me to execute some unknown program before they'll even tell me who they are or what they do, then I'm much more likely to just ignore that website.
That is, of course, a common complaint about JavaScript-only web sites these days, but it is perhaps a bit ironic that information about a security-related project is "hidden" in that way. In any case, Neal Gompa filled him in on sigstore, though Gompa was fairly dismissive of the project, at least so far. Persson had mentioned the ability to sign the repository metadata as another level of protection for Fedora, but Gompa complained that it has not been implemented for the Fedora repositories.
Gompa said that openSUSE signs its RPM repository metadata without any problems; in another message, he noted that CentOS added the feature in 2018. But Fedora infrastructure lead Kevin Fenzi pointed out that there have been numerous problems in trying to add the feature to Fedora along the way. But he is not opposed to doing so eventually:
I'm ok with enabling signed repodata when it is possible to do so and don't cause pain and suffering for our users. This has in fact always been my answer to this. It's not a priority for me personally because metalinks handle almost all the cases. The only things that would be improved by signed repodata are local mirrors that sync without checking for the mirror they sync from being up to date in mirrormanager.
Fenzi also described more of the details of the protection that is provided in the default case (where systems get their updates from the Fedora repository mirrors):
In the default configuration you get a metalink from mirrors.fedoraproject.org. That metalink has checksums for the last 2 repomd.xml files in it. If a mirror you go to then offers you a incorrect repomd.xml or any files (which are in turn checksumed in repomd.xml) dnf will treat the mirror as broken and skip to the next one.
So, assuming the Fedora keys are not compromised, which would allow an
attacker to sign anything as if it came from Fedora, of course, then the
majority of use cases are covered even without adding signed repository
data. Local mirrors, which are typically run by organizations to reduce
internet traffic and/or to support systems behind a restrictive firewall,
might need some additional features, however. (As Fenzi put it: "We
could do more for local mirrors indeed.
"
But, however unlikely it is, there is always a non-zero probability of a signing key compromise; folks unwinding a catastrophic event of that nature might find a log like that created by rekor to be of some use. Luke Hinds, who is the security engineering lead for Red Hat, described how that could work:
Rekor is a transparency log that stores signing manifests into a merkle tree, it uses the same back end technology as certificate transparencyRekor has what are termed 'types' that allow it to ingest custom schemas and hash those into the transparency log. For those that don't know, a transparency log is immutable / append only datastore that is publicly auditable. One of the types we have is an rpm type to ingest and store signing materials from an RPM package.
Why is this useful? You get a timestamped / tamper resistance record of all signing events. This is very useful for understanding the exact blast radius of a key compromise and monitoring for suspicious events. Most of the time you will not interact with the tlog, it would sit off to side hashing in entries, so it would make no changes to a maintainers working flow or not being in any build path where it could cause an outage. It's the sort of system most would not be aware of, unless something awful happens, and then it has a lot of value, as you have an immutable record of events.
The "not being in any build path
" part was confusing
and Hinds walked
that part back, but the idea is interesting, though it may be of
limited utility. If the Fedora build infrastructure were set up to
record all of its legitimate signing activities in the log, any package
with a valid signature that did not appear there would be a red flag indicating a key
compromise. That, of course, assumes that the attacker cannot also add
entries to the log, which may or may not be the case.
As Miloslav Trmac
pointed
out, though, the rekor log may not actually provide anything new:
"[...] any other logging solution
from that build/signing system (just send it to a write-only log host)
would have very similar security properties, it seems to me.
" In
order for it to be truly useful, Trmac said
in a follow-up, clients would need to query the log before installing
an RPM to ensure that it is on the list. But, of course, an attacker who
can create malicious packages with valid signatures may well be able to use
the same machinery to add a log entry. Beyond that: "Given the above discussion
about signing metadata,
presumably a much smaller change, what makes such a Rekor integration more
likely to get done?
", Trmac asked.
If rekor (or something like it) is truly going to be useful for Fedora, it would seem that a clearer picture of what kinds of threats it would target—and how it would be superior to the existing protections—is needed. It sometimes seems that blockchain-type mechanisms (broadly defined) can be seen as a solution in search of a problem. While sigstore may well have applications for other types of projects—supply-chain attacks are real and dangerous, after all—Linux distributions may not be a good fit for this kind of tamper-proof log. Distribution security is not perfect, by any means, but the developers on those projects have been grappling with these kinds of problems for a really long time at this point. For Fedora, it probably makes more sense to try to fill in some of the holes that have been identified before climbing up on the Merkle-tree craze.
| Index entries for this article | |
|---|---|
| Security | Distribution security |
| Security | Supply chain |
Posted Jun 17, 2021 0:09 UTC (Thu)
by martin.langhoff (subscriber, #61417)
[Link] (4 responses)
Within the distro, packages are signed. The interesting questions are, IMHO, in the adjacent spots, for example:
- Upstream sources - Fedora's machinery, mediated through fedpkg, tracks the hash of the upstream tarball the maintainer imported. But many upstreams don't sign their release tarballs, so the maintainer can't really guarantee it's content.
Posted Jun 17, 2021 2:12 UTC (Thu)
by jccleaver (guest, #127418)
[Link] (1 responses)
Of course, anyone who makes a tarball can post a checksum of it, but if the checksum and download is posted on the same web page, or are files downloaded from the same directory, then it's likely that there's a common hack mode between them.
What's really needed are out-of-band mechanisms for transmitting and recording this information. Having checksums on a separate site is a nice step, but a scheme that had checksums for objects as a TXT record in DNS would be a lot more trustable, if there were a standard for looking at them.
Posted Jun 17, 2021 21:23 UTC (Thu)
by tchernobog (guest, #73595)
[Link]
Posted Jun 18, 2021 14:09 UTC (Fri)
by lsl (subscriber, #86508)
[Link] (1 responses)
Why not? The images distributed by Fedora come with a signed checksums file and instructions on how to verify.
https://alt.fedoraproject.org/en/verify.html
What's missing?
Posted Jun 28, 2021 13:05 UTC (Mon)
by immibis (subscriber, #105511)
[Link]
Posted Jun 17, 2021 2:07 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
The traditional purpose of certificate transparency, in the context of HTTPS, is not to prevent fraudulently-obtained HTTPS certificates from appearing to be valid. Rather, it is to ensure that fraudulently-obtained HTTPS certificates are logged. This then provides three major benefits:
1. The legitimate owner of the certificate and/or the CA can monitor the logs, which are always public, and immediately revoke any certificates which they do not recognize, as well as rotating any keys which might plausibly have been compromised as part of the attack (e.g. including keys which are used to encrypt other keys).
This article seems to suggest that everyone is focusing entirely on benefit #2 and ignoring #1 and #3. But both #1 and #3 are (mostly) applicable in this context: We would like to know immediately if keys have been compromised, and while I doubt that anyone holding a Fedora signing key is actually malicious, reducing the amount of unilateral power held by such people can only improve the security of the system as a whole.
Posted Jun 17, 2021 17:26 UTC (Thu)
by lhinds (guest, #152836)
[Link]
Posted Jun 17, 2021 9:15 UTC (Thu)
by Foxboron (subscriber, #108330)
[Link] (16 responses)
If you do provide reproducible builds rekor becomes a natural extension of the infrastructure because you could (in theory) validate the log entries and also query independent rebuilders to gather some consensus what you are download is good or not. Then what do you get? You can record signing events and also sign git repository operations to have a complete view of what went into each repository and the outputs. You can also independently verify each of the produced artifacts.
This would have prevented the recent PHP compromise, among other supply-chain attacks.
As a side-note I did also write a transparency log monitor for the kernel.org repositories. Imagine if we could have this for all F/OSS projects?
Posted Jun 17, 2021 15:31 UTC (Thu)
by amacater (subscriber, #790)
[Link] (12 responses)
Fedora should take part in the Reproducible Builds project - it would give me a little
Posted Jun 18, 2021 12:05 UTC (Fri)
by Conan_Kudo (subscriber, #103240)
[Link] (11 responses)
What do you hope to gain from Fedora participating? Fedora does not have the same problems that Debian has: a lack of build records, a lack of input records, a lack of input trust, a lack of output trust. Fedora already requires upload of sources to a version control system that are checksummed with a cryptographically strong checksum (SHA-512). Those sources are the only sources allowed to be used as build inputs. Additionally, all the build environment inputs are only the things archived in the build system, which those things were built in the system with all the information of how they built was recorded too. Each build in the build system can be replayed exactly with all the inputs that were used the first time, as all the inputs are recorded as metadata in the build system that can actually be used, since all the content to reconstruct the build environment is preserved. The only thing Fedora isn't actively doing is turning on the flags to squash all the timestamp stuff, which could be done if anyone was interested in doing so, but everyone just complains without stepping up. We already have
Posted Jun 18, 2021 13:10 UTC (Fri)
by ballombe (subscriber, #9523)
[Link] (5 responses)
One still have to trust the computers than run the build system.
Posted Jun 18, 2021 13:19 UTC (Fri)
by Conan_Kudo (subscriber, #103240)
[Link] (4 responses)
Posted Jun 18, 2021 15:16 UTC (Fri)
by ballombe (subscriber, #9523)
[Link]
Could you elaborate ? What is missing ?
Posted Jun 18, 2021 16:35 UTC (Fri)
by mw_skieske (guest, #144003)
[Link] (1 responses)
This is just not true at all.
Let me give you an example:
Build Systems can get hacked (they are high value targets). So maybe I trust the software which is assembled into an operating system but I don't trust the assembly process? reproducible builds allow me to double check this step, no?
It is also possible, maybe even more likely, that an intruder would _not_ infect the complete fedora infrastructure, because targeted and contained attacks are much more like to be noticed later than a huge range of owned systems for no good reason.
you are imho conflating software sourcecode, a build system, the people and process running the build system, the people maintaining the packages inside fedora and the complete assembled result (fedora images) into one process, which imho is a mistake.
These are all very distinct entitys which sometimes sure do overlap but really are not the same.
These entities have varying personal attack surfaces and security processes implemented.
there are unpaid maintainers, paid maintainers, professionally run infrastructure by paid teams in red hat and a student packaging his own software.
It would be pretty naive imho to all lump this together, when talking about attack surface and threat modelling.
kind regards
Sven
Posted Jun 24, 2021 18:40 UTC (Thu)
by zuki (subscriber, #41808)
[Link]
I generally would love to see an effort for build reproducibility in Fedora, but this comment is essentially wrong. In Fedora, a maintainer (any maintainer), can only instruct the official build system to build a package from "dist-git", i.e. the package version control system. While all packagers push to dist-git, only the official infra managed by (essentially) "paid teams in red hat" is what actually builds the packages. For reproducible builds, we would record the inputs to the package builds and the build results, so build reproducibility would cover the part where already only this very small group of infra team members has access.
Actually we already record the inputs (every build must correspond to exactly one commit in dist-git and commits from which builds were made are forever public, and the exact list of packages used during build is recorded), and the outputs are recorded too (any build artifacts which were ever officially distributed are available). For Fedora, build reproducibility would mean that we would make an effort to make the builds bit-for-bit repeatable and maybe provide the build metadata (which is already being recorded) in a more standarized format. A "student packaging their own software" would have a much input to this system as they have now.
Posted Jun 19, 2021 11:20 UTC (Sat)
by Foxboron (subscriber, #108330)
[Link]
That is not true. Debian saves buildinfo files which can be used to replay exact build environments. And it works! My master thesis was all about rebuilding Debian packages for bit-by-bit identical packages using `srebuild` and stuffing them into a transparency log.
https://salsa.debian.org/reproducible-builds/debian-rebui...
Posted Jun 18, 2021 13:32 UTC (Fri)
by amacater (subscriber, #790)
[Link] (2 responses)
Posted Jun 18, 2021 13:35 UTC (Fri)
by rahulsundaram (subscriber, #21946)
[Link] (1 responses)
Hmm. That's not what the announcement says.
Posted Jun 18, 2021 13:43 UTC (Fri)
by amacater (subscriber, #790)
[Link]
Posted Jun 18, 2021 17:56 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Jun 18, 2021 20:30 UTC (Fri)
by alogghe (guest, #6661)
[Link]
https://guix.gnu.org/manual/en/html_node/Invoking-guix-ch...
That's a pretty great artifact of a reproducible build system that the end user has full access to...
Posted Jun 17, 2021 15:40 UTC (Thu)
by smoogen (subscriber, #97)
[Link] (2 responses)
[I am not against reproducible builds but in this case, if I were a malefactor I would use it for my advantage versus be worried about it stopping me.]
Posted Jun 17, 2021 17:29 UTC (Thu)
by Foxboron (subscriber, #108330)
[Link] (1 responses)
>The general attack point for supply chains is the source code and not the binaries as the problem is my taking over someone's github, or getting upload rights to pypy/cpan/npm/etc.
Citation needed. Most prominent attacks, even the one mentioned in this article, are attacks at the distribution site, not source code repositories. Solarwinds would have been countered by reproducible builds. Same with Linux Mint getting their ISOs compromised a few years ago.
Pypy, cpan and npm are also independent of the forge. If you can reproduce the expected tarball then any attacks towards these can be detected. This means most of the "subversive tarball" compromises you have seen from NPM would be addressed by reproducible builds.
But lets ignore that and just address the argument :)
Transparency Logs and Reproducible Builds compliment each other. Each of these things separately deals with different aspects of the supply-chain. But you are also moving the goal post, which is easy to do. Let me help you!
Even if you *do* secure the source-code repositories, how do you protect against a subversive compilers? Trusting trust attacks are not covered by neither reproducible builds, transparency logs or a secure source-code repository. They sit one level below.
Does this mean we should ignore all the other challenges and focus on this one problem? Not at all! We should address each of these issues as any one of these improvements do give you a more secure ecosystem, even if just a tiny bit.
(And before someone starts mentioning subversive compilers I do recommend reading up on what the community has been capable of achieving with the GNU Mes C compiler, https://dwheeler.com/trusting-trust/#real-world. We are close to actually being able to address large parts of the chain.)
Posted Jun 18, 2021 12:11 UTC (Fri)
by Conan_Kudo (subscriber, #103240)
[Link]
Most compromises are in source-based "distribution centers" (PyPI, NPM, Packagist, etc.). It's relatively rare for binary ones to be successfully attacked, because those are usually better defended with integrity checks and such.
Fedora and supply-chain attacks
- Build servers - koji, etc. Not sure how that infra is built and maintained.
- VM and Container images built from Fedora packages -- here, it is not possible today to fully validate that a VM or container image claiming to be based on Fedora is actually what it claims to be.
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
2. If the legitimate owner of the certificate is not paying attention, and the attack progresses to a later stage, the CT logs can at least provide some explanation of what happened and when.
3. It reduces the amount of trust which has to be placed on the CA. The CA cannot simply go around issuing whatever certificates they like, because those certificates must appear in the CT log to be valid, and once they do, the legitimate owners can complain to the CA/B.
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
more happiness around the way that Fedora is built and the expertise would probably
also help the other distributions. Fedora certainly stands comparison with Debian in
terms of size and degree of difficulty.
Fedora and supply-chain attacks
Fedora should take part in the Reproducible Builds project - it would give me a little more happiness around the way that Fedora is built and the expertise would probably also help the other distributions. Fedora certainly stands comparison with Debian in terms of size and degree of difficulty.
SOURCE_DATE_EPOCH set on the latest timestamp in the RPM changelog to allow projects to build "reproducibly" when packages are building. There are other "reproducible builds" flags in RPM that aren't turned on yet only because nobody has cared to do something in the face of this information on how Fedora builds work.Fedora and supply-chain attacks
... that Debian had before moving to source-only uploads.
I do not see how the situation between Fedora and Debian is different now.
The Debian build system does not have the kind of capability to replay exact build environments. And there's no reasonable way you can consider the build system servers as non-trusted. Otherwise you'd have to consider the distribution itself as untrusted. That's silly, because you fundamentally have to run everything on the operating system anyway.
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
https://manpages.debian.org/testing/dpkg-dev/deb-buildinf...
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Just imagine that Fedora build hosts are infected with malware that inserts itself into compiled binaries. How would you detect it?
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Fedora and supply-chain attacks
Citation needed. Most prominent attacks, even the one mentioned in this article, are attacks at the distribution site, not source code repositories. Solarwinds would have been countered by reproducible builds. Same with Linux Mint getting their ISOs compromised a few years ago.