Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> (3) We should have a "security path", like "critical path".
> 
> sshd is linked to a lot of libraries:
> 
> /lib64/libaudit.so.1        audit-libs
> /lib64/libc.so.6            glibc
> /lib64/libcap-ng.so.0       libcap-ng
> /lib64/libcap.so.2          libcap
> /lib64/libcom_err.so.2      libcom_err
> /lib64/libcrypt.so.2        libxcrypt
> /lib64/libcrypto.so.3       openssl-libs
> /lib64/libeconf.so.0        libeconf
> /lib64/libgcc_s.so.1        libgcc
> /lib64/libgssapi_krb5.so.2  krb5-libs
> /lib64/libk5crypto.so.3     krb5-libs
> /lib64/libkeyutils.so.1     keyutils-libs
> /lib64/libkrb5.so.3         krb5-libs
> /lib64/libkrb5support.so.0  krb5-libs
> /lib64/liblz4.so.1          lz4-libs
> /lib64/liblzma.so.5         xz-libs
> /lib64/libm.so.6            glibc
> /lib64/libpam.so.0          pam-libs
> /lib64/libpcre2-8.so.0      pcre2
> /lib64/libresolv.so.2       glibc
> /lib64/libselinux.so.1      libselinux
> /lib64/libsystemd.so.0      systemd-libs
> /lib64/libz.so.1            zlib / zlib-ng
> /lib64/libzstd.so.1         zstd
> 
> Should we have a higher level of attention to these packages?  We
> already have "critical path", but that's a broad category now.  These
> seem like they are "security path" packages, an intentionally small
> subset associated with very secure services which are enabled by
> default.

I agree, but that brings us to the question of what to do about them
that's special.

Unrelated to the idea that some packages are special in this way, it's
probably worth writing some static analysis tools we could put into
rpm-inspect to detect when (a) a binary grows new public keys it didn't
have before, and (b) a shared object grows a new ifunc.  The latter is
dramatically easier, of course, but both of those should be pretty rare
events, so they're worth further inspection.

Even if it's just RSA keys that we search for, that would add some
benefit, and that's pretty easy if nobody has tried to cover their
tracks: scan a binary for a big power of two sized odd number followed
by a small prime number, and then filtering that with a more rigorous
prime test on the first number will detect RSA keys and probably very
little else.  Might be worth grepping for "----- BEGIN" as well.

Just some thoughts, I'm sure we'll all have many more where these come
from.

-- 
        Peter
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux