From: Santiago Torres <santiago@nyu.edu>
To: Stefan Beller <sbeller@google.com>
Cc: Git <git@vger.kernel.org>
Subject: Re: [RFC] Malicously tampering git metadata?
Date: Thu, 17 Dec 2015 20:06:36 -0500 [thread overview]
Message-ID: <20151218010635.GA16508@LykOS> (raw)
In-Reply-To: <CAGZ79kZNim0wp2fYKv2+6t+CaqqzjTThsm_KoAv1D_8OsD0qTQ@mail.gmail.com>
Hi Stefan, thanks for the insight.
> This is what push certificates ought to solve.
> The server records all pushes and its signed certificates of pushes
> and by the difference of the
> refs (either in packed refs or as a loose ref) to the push certificate
> this tampering of
> the server can be detected.
Is there any specification about push certificates? I would like to read
about them, but I don't seem to find documentation anywhere. Are they a
part of git's specification?
>
> The push certs can however not be obtained via Git itself (they are
> just stored on the
> server for now for later inspection or similar), because to be really
> sure the client would
> need to learn about these push certificates out of band.
I was thinking that an in-band solution could be integrated as long as
we assume a compromise would result in an complete (unreconcilable)
fork attack; fork attacks aren't subtle and could be detected easily.
>
> The model there would be:
> * A vulnerable piece of software exists.
> * It get's fixed (and the fix is pushed with a signed push)
> * the MITM server doesn't show the fix (show the code from before fix) nor
> the push certificate thereof
> * client still pulls vulnerable code
Yes, this is a possible attack vector. However, a server could also
present a branch pointer as different (e.g., point an experimental
branch to an unsigned v1.1 tag). This has other implications, as the
code is pushed/pulled from upstream, it just goes somewhere different.
>
> This model shows the distribution of push certs via the server itself may not be
> optimal.
Yes, it might not be optimal, but it could provide protection against
the attack I just described, for more complex attacks might not be so
subtle. Adding to this, developers likely coordinate their efforts
through other means (sic), so the lack of a push certificate (withheld
by a server) could raise some yellow flags.
We've made a proof of concept of such tool (in-bandh push certificates),
and would like to share the basic design of it here. However, it follows
our threat model: a compromised server that can't introduce malicious
code (thanks to commit signing), but can modify branch pointers and
other unsigned metadata to alter the repository's state.
>
> Thanks for researching on Git,
Thanks for working in such a great tool :)
-Santiago
> Stefan
next prev parent reply other threads:[~2015-12-18 1:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-16 3:26 [RFC] Malicously tampering git metadata? Santiago Torres
2015-12-16 7:20 ` Stefan Beller
2015-12-18 1:06 ` Santiago Torres [this message]
2015-12-18 3:55 ` Jeff King
2015-12-18 4:02 ` Jeff King
2015-12-18 23:10 ` Theodore Ts'o
2015-12-19 17:30 ` Santiago Torres
2015-12-20 1:28 ` Theodore Ts'o
2016-01-12 18:21 ` Santiago Torres
2016-01-12 18:39 ` Stefan Beller
2016-01-14 17:16 ` Santiago Torres
2016-01-14 17:21 ` Stefan Beller
2016-01-22 18:00 ` Santiago Torres
2016-01-22 18:51 ` Stefan Beller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151218010635.GA16508@LykOS \
--to=santiago@nyu.edu \
--cc=git@vger.kernel.org \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).