[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories

On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote:
> Volker Birk:
> > On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote:
> >> That should help to defeat any kind of sophisticated backdoor on build
> >> machines.
> > Really?
> > How do you detect, if maintainer's patches contain backdoors?
> Someone else builds the same package (binary) and detects a different
> checksum. - That required deterministic builds.

There will be the correct checksum, if the maintainer of the package
does it. So no way to detect that with deterministic builds. And if
you're taking the build machine, you can inject “correct” checksums,

> > Attacks on the build process don't seem to be the hugest threats.
> Why not? Lets make up an example. And attacker only need to compromise
> the machine which builds the Apache server, doing so with a zero day the
> attacker bought, lets say thats 10.000 $ or 100.000 $ - within budget of
> three letter agencies and other criminals. An "investment". A
> compromised Apache who's SSL traffic has an added weakness by the
> backdoor is most profitable for economic espionage.

Yes, that's possible. But if I would be the intelligence service, I'd
better pay one of the maintainers. Job done.

> > Not to mention the build tool chains.
> Thats probably a separate issue.

Yes, and not a small one (it's a classic). If I would have the job at
the NSA, I for sure would invest a huge amount of effort to take GCC and
LLVM. What an impact!

pibit AG, Oberer Graben 4, 8400 Winterthur
mailto:vb@pibit.ch  Mobile +41 (79) 292 88 87

Attachment: pgpVLyPaCoy2m.pgp
Description: PGP signature

Reply to: