You are not logged in.

#1 2008-11-04 06:28:30

blairkatu
Member
Registered: 2008-10-07
Posts: 6

Pacman Veanurability

As many of the Arch users know Pacman (and most updater programs) creates a notoriously vulnerability to the Domain Name Server (DNS) Man In The Middle (MITM) attack; if you don't know what this is see the second paragraph. I think that this problem REALLY needs a solution, so I propose: A single GnuPG http://www.gnupg.org/ key for the server, the server encrypts and signs the hashes for the packages to be downloaded using the server private key. The users have the server's signed public key so they can decrypt the message and check the signature to make sure its a trusted source. Now the user can download directly from the IP gathered while preforming the initial DNS request (So if the server has a low Time To Live (TTL) the MITM attack can't happen during the second request) and check against known "good" hash checksums. I've tried to identify some possible flaws with this system which include:
Statistical Analysis: I figure (even though I don't think its ever been done) with enough samples and decodes of a GPG encrypted message you could preform a statistical analysis and effectively procure a private key.
Multiple Server Problems: With all the different servers for each to have access to the private key would be insane, the private key should be used to lock data on the main (archlinux.org?) server and the rest can copy and update regularly (as they do now) 
Increased Distro Size: It would be a slight increase to make room for the GPG command line program, but I don't think it would be too bad.
INSERT YOUR CRITIQUE HERE: I'm sure theres more and for the security of the community they should be discussed.

OK so this part is for those who don't understand the first paragraph. The DNS MTIM attack is sort of difficult to explain but after noting the confusion on my sister thread http://bbs.archlinux.org/viewtopic.php?id=35609&p=1 I decided it is a necessity. To begin:
DEFINITIONS:
DNS: Domain Name Server; the central hub of the Internet. It operates like a phone book if you will but with IP address instead of phone numbers and housing addresses, and domain names instead of the persons names (ie: google.com vs John Doe) you use it every time you connect to the Internet or lookup a host name
MITM attack: Man in the middle attack; generally considered to be a more difficult hack but doable all the same. The attack requires the hacker to be between the user and his target data.
WHAT HAPPENS?:
A hacker pretends to have the same IP as your DNS (or something more elegant) so, when you ask your DNS for the IP address of archlinux.org it returns the hacker's choice of address. More often then not the hacker would spy on your DNS requests and provide you with you normal Internet for a while. It is here that the hacker becomes a cracker, (a hacker with malicious intent) if he see you access archlinux.org (or one of the mirrors) once a week he can assume that you probably run Arch, use Pacman, have an I686 or x64 architecture. Now that he knows what mirror you use he can copy the server architecture from another server, bind the address of the mirror to his own server and effectively route all the traffic to that server. As Arch uses precompiled binaries in its updates etc. it would be phenomenally easy at this point to change the code of one of the updates to something malicious and have you download it and run it on your next update. Scary stuff eh?

SOURCES:
-WIKIPEDIA
-GOOGLE
-Dan Kaminsky: Director of penetration testing at IOActive
     I suggest you read this power point, its a great synopsis of the problem and shows how recently this has been exposed.
     http://www.doxpara.com/DMK_BO2K8.ppt
-Cory Doctorow's "Little Brother"
     Its a great read.
     http://craphound.com/littlebrother/download/
Countless Others

Offline

#2 2008-11-04 07:00:05

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: Pacman Veanurability

Patches welcome.

If someone actually wants to submit some patches for this, join the pacman-dev list and find out about the pgp branch where a good start has been made.

Offline

#3 2008-11-04 08:43:13

Heller_Barde
Member
Registered: 2008-04-01
Posts: 245

Re: Pacman Veanurability

seems a little paranoid to me neutral of course the possibility exists, but still... mhh

cheers Barde

Offline

#4 2008-11-04 09:24:39

Cappy
Member
Registered: 2008-10-13
Posts: 20

Re: Pacman Veanurability

Heller_Barde wrote:

seems a little paranoid to me neutral of course the possibility exists, but still... mhh

cheers Barde

Well, if Arch becomes a more popular distro or base for other distros there is definitely an increased chance of an automated attack.

2 notes about the OP's argument:
Getting the DNS / sites a person is visiting is a lot easier than the OP makes it, it's only reverse DNS lookups on IPs or HTTP requests. (lots of reverse DNS lookups are a sign of packet sniffing, by the way)
Also, the "making a mirror" would take far too much work/bandwidth. I would rather make a quick script to unpackage one of the updates, include a rootkit, repack it, and inject it back into the wireless stream. Yes, to do this you would make your computer the middle man first when that site is requested (as already described) by acting as the DNS.

It's really not that hard to do and it would certainly make a big problem if Arch moved to "enterprise level" so there really is a need for it, although it isn't pressing at the moment.

Actually, that could make a really interesting Arch-only "worm" (for those with Atheros chipsets) that would spread upon updating.

Offline

#5 2008-11-05 15:28:22

jarryson
Member
Registered: 2007-02-18
Posts: 298

Re: Pacman Veanurability

will it like apt-get? it will be a little hard to use than now, but i think it is better.

Offline

#6 2008-11-06 02:28:14

arew264
Member
From: Friendswood, Texas, US
Registered: 2006-07-01
Posts: 394
Website

Re: Pacman Veanurability

I seem to recall seeing an initiative along these lines a year or two back, where it was proposed that the devs verity their identities to the central server and the central server verify it's identity for the clients. A sound plan, but no one would bother to code it, and the devs thought it was overkill. I tend to agree with them.

This isn't so much overkill, but I don't think it's as essential as the OP presents. An ISP with IP egress protection will stop something like this dead in its tracks.

Offline

#7 2008-11-06 10:37:47

Heller_Barde
Member
Registered: 2008-04-01
Posts: 245

Re: Pacman Veanurability

I think gnuffy already implemented this idea. although their pacman version called spaceman is written in bash, maybe there is a possibility to take their ideas and sorta implement it in pacman. I would be happy to help in that direction, as long as I have someone to go to with problems with pacman's source. I tried to look at the source but i got stuck pretty fast -.-

the downside would be that we had another dependency for pacman (gnupg)

cheers Barde

Offline

#8 2008-11-08 00:15:20

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

Re: Pacman Veanurability

This has already been mentioned (by me, specifically wink ), and I hear it's on the development to-do list:

http://bbs.archlinux.org/viewtopic.php?id=51570
http://bbs.archlinux.org/viewtopic.php? … 82#p333982

Offline

#9 2008-11-08 16:46:15

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: Pacman Veanurability

FWIW, pacman-G2 (used by Frugalware) already implements GPG signing.

Offline

Board footer

Powered by FluxBB