In <[🔎] 201011090408.16027.jesus.navarro@undominio.net>, Jesús M. Navarro wrote: >Hi, Boyd: >On Tuesday 09 November 2010 03:39:58 Boyd Stephen Smith Jr. wrote: >> In theory, it could be possible for dpkg/apt to update the tripwire >> database automatically. I recommend against it, since then subverting >> dpkg/apt allows an attacker to subvert tripwire. Because of different >> focuses, I think the tripwire code is much harder to subvert than the >> dpkg/apt code. > >Well, dpkg/apt should trigger a tripwire hash recomputation and it should be >tripwire the one to look after the proper debsum and being instructed to >accept it prior to update the database (or not), not the other way around. >I think that should restrict the attack profile. After all, tripwire >wouldn't do nothing you wouldn't do by hand anyway. Updating the tripwire database requires it do be re-signed with the local key. Doing so generally requires the passphrase to unlock (decrypt) the key. If you script away the passphrase entry, by storing the passphrase (or key!) unencrypted, you significantly reduce the protection afforded by tripwire against local privilege escalation attacks. That said, it might be possible to use hooks (ala apt-listbugs, but much more complex) to have dpkg/apt trigger tripwire for certain files and have tripwire ask for the key in the order manner. It's non-trivial to get right, though. For me, running (tripwire --check -I) immediately after a package update keeps the exploitation window sufficiently small. A dedicated attacker could probably root me, but it is likely to be sufficiently troublesome that it is not worth it for my data. The attack I am imagining is to use modify dpkg, the apt trustdb, and apt settings, to "plant" a dpkg, apt, and debian-keyring "upgrade" that is malicious. If I installed the upgrade(s) before running a tripwire check, the original modifications would be lost in the "noise" of the package upgrades displayed by (tripwire --check). Still, that depends on me doing the "upgrade" before my nightly tripwire cron job; rather unlikely since both it and my packages-that-need-upgrages cron job run during a time when I am asleep. An alternative attack would be to modify a binary/library that I might believe is part of a valid upgrade, during roughly the same window. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.