Re: Compromising Debian Repositories

To: debian-security@lists.debian.org
Subject: Re: Compromising Debian Repositories
From: adrelanos <adrelanos@riseup.net>
Date: Sun, 04 Aug 2013 21:22:24 +0000
Message-id: <[🔎] 51FEC610.1080703@riseup.net>
In-reply-to: <[🔎] b31dba54-fd0c-11e2-a173-001cc0cda50c@msgid.mathom.us>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com> <[🔎] 51FCCA78.5080604@riseup.net> <[🔎] 20130803101706.GA363@dingens.org> <[🔎] 51FCDDAA.3080208@riseup.net> <[🔎] 20130803112956.GA5775@dingens.org> <[🔎] 51FDC4C1.7050307@riseup.net> <[🔎] 85li4hx5b0.fsf@boum.org> <[🔎] 51FE0CF8.9090702@stranner.org> <[🔎] b31dba54-fd0c-11e2-a173-001cc0cda50c@msgid.mathom.us>

Michael Stone:
> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>> I think the real issue is about if the malicious patch is not part of
>> the source package
> 
> Why? It certainly makes your argument simpler if you arbitrarily
> restrict the problem set, but it isn't obvious that it makes sense. If I
> was going to backdoor something, I'd just make an innocent-looking
> coding error that would enable a successful exploit; I certainly
> wouldn't put in a commented section of code that says "backdoor here".
> With sufficient effort it wouldn't be hard to inject such a
> vulnerability that would go unnoticed for years--and

> I'm not sure why
> that's less of an issue than someone making a one-time build with a
> malicious patch that is not part of the source package.

An innocent-looking coding error requires a malicious maintainer.

A malicious patch not part of the source code can be done by any
adversary who compromised the build server. I think the latter is more
simple, risk free and anonymous.

Getting rid of possibilities for intentional innocent-looking coding
error is possible as well. First of all, how much security is the goal
vs required effort? Is pragmatic security, as in "no random script kiddy
can take down any Debian powered systems" sufficient or is it "we don't
want all the three letter agencies around the globe being always able to
remotely access any Debian system".

As far I know, only lower level programming languages such as assembler,
C and C++ open up for sophisticated intentional innocent-looking coding
errors, right? Bugs possibly leading to remote code execution are much
more obvious to spot in higher level languages such as python?

If that case and more than pragmatic security is the goal, the use of
lower level languages should be restricted to cases where other
solutions aren't possible (bootloader etc.). And frozen. So that the
code is 100% stable and vulnerability free after some time. It should be
possible in theory if our machines get more performance over time? I
think that would be quite painful to rewrite so many tools.

Are there any better solutions to the trusting trust issue? Or will the
fight against backdoors be lost at some point?

Reply to:

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: intrigeri <intrigeri@debian.org>
- Re: Compromising Debian Repositories
  - From: Heimo Stranner <heimo@stranner.org>
- Re: Compromising Debian Repositories
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Compromising Debian Repositories
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Re: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread