#nixos-security on 2019-05-10

10:11 <pie__> andi-, someone i know: "So ANSSI just dropped some hot stuff here. They developed a graph database based, open source threat intelligence platform that will be released soon: https://www.opencti.io/en/ It looks amazing." its not actually released yet and no talks are recorded so im like....mehhhhhh :c ...but watch this space I guess

10:35 <andi-> pie__: kinda burned out on those.. Still have to write a few patches for MISP as part of my day job..

11:14 <pie__> meh

11:14 <pie__> i havent put much effort into it just some ambient thinking, and we'd only find some subset of the functionality useful probably, if anything

11:28 <pie__> current ponderance: supply chain attacks on nix again

11:36 <gchristensen> oh?

11:37 <pie__> gchristensen, i think youve been promoting usage of yubikeys right?

11:37 <gchristensen> for sure

11:37 <gchristensen> u2f for github auth is excellent

11:37 <pie__> i mean i dont feel like i have any good ideas, just thinking what it would take to compromise a commiter machine

11:37 <gchristensen> and it makes using GPG, indeed, less horrific

11:38 <pie__> im not so worried about that, but thats good to have too, get rid of low hanging fruit and whatnot

11:38 <pie__> or rather, im not thinking abot that

11:38 <gchristensen> right on

11:39 <pie__> im just thinking again about how i feel theres increasing prevalence of supply chain attacks or things that could be supply chain attacks, makes sense too imo

11:39 <pie__> and signing by itself wont help with that

11:40 <gchristensen> right

11:40 <pie__> that will get you attribution to a compromised target after the fact maybe, but will do nothing about preventing injection of stuff into the upstream

11:41 <pie__> a hardware module that doesnt allow exporting private keys will at least prevent compromise of the key, but between the commit <-> signing process there isnt anything preventing a malicious actor from mangling the thing youre requesting to be signed?

11:42 <gchristensen> that sounds like a complicated attack

11:42 <pie__> theres probably easier ways, its easy to think of hollywood movie plots to paraphrase schneier

11:42 <gchristensen> and the signature won't match

11:43 <pie__> i dont know how signing actually works exactly but you just change data at the point that would make it correct (?)

11:43 <gchristensen> MichaelRaskin likes to remind me that it would not be difficult to pay somebody to make good contributions to Nixpkgs for 6mo, get commit bit, and then go wild

11:43 <pie__> makes sense

11:44 <gchristensen> and that would be cheaper than hollywood :)

11:44 <pie__> but anyway im not sure anything could *theoretically* be done about this, because the primary function of a committer is to...ingest new code

11:45 <pie__> so im kind of stuck

11:45 <pie__> something something capability system to limit damage but...idk

11:46 <gchristensen> Nix already protects aganist many attacks by using its cap system

11:46 <gchristensen> youcould look at what Debian does to vet contributors and new contributions, pie__

11:46 <pie__> what do you mean?

11:46 <pie__> @ cap system

11:48 <pie__> yeah ive had comments about that so i guess i should

11:48 <gchristensen> building and installing software with Nix uses the principle of least authority

11:49 <gchristensen> installing software has no "hooks", so installing malicious software is not the dangerous action

11:49 <pie__> i dont *quite* follow

11:50 <gchristensen> building a Nix package is tightly sandboxed

11:50 <pie__> yeah

11:50 <gchristensen> it has no access or authority on your system

11:50 <pie__> yeah i got that

11:50 <gchristensen> ok

11:50 <gchristensen> makingc breakfast

11:50 <pie__> ok

11:52 <gchristensen> actually not sure where I was going with that

11:53 <pie__> ;p

11:53 <pie__> happens

11:53 <gchristensen> :)

11:53 <pie__> i guess im preoccupied with malicious code showing up unnoticed

11:54 <pie__> we seem to have good integrity stuff for when something is already in the system

11:55 <pie__> but we are a very dispersed community, which is fine, but we need/want (?) technical solutions to problems that arent necesserily technical

11:55 <pie__> and for the problems that are too hard to solve technically i guess we have to solve otherwise

11:55 <pie__> when i mentioned capability system i was thinking more in the sense of the nix language, but i didnt think of anything concrete so maybe im just making word soup

11:56 <gchristensen> have you talked to simpson about nix's built-in capability system?

11:57 <pie__> ive brought this up a few times but never properly

11:57 <gchristensen> yeah

11:58 <gchristensen> simpson has a good perspective and understanding, worth seeking out a conversation specifically with him

11:58 <pie__> i mean im saying "woo capabilities" but i dont have any concrete thoughts yet on what we could actually preven

11:59 <pie__> also given the large disconnect between nix language evaluation level stuff and actual package runtime

11:59 <gchristensen> yes, simpson can help you understand exactly what we already do prevent with Nix's capabilities

12:00 <pie__> like, the nix runtime prevents you from making suid exes or whatever, but i dont see offhand how we could do anything from the nix language level - barring isolation of some kind of functionality to well controlled language construct

12:00 <pie__> ok

12:00 <pie__> well simpson should consider himself several times pinged :P

12:43 <ekleog> gchristensen: about the “pay someone to make good contributions during 6mo then go wild,” it's exactly what signatures would help protecting against (while they wouldn't help against a compromised committer) -- assuming we have a way to tie key ownership to real-world identity, of course

12:43 <pie__> i dont see how that necessarily helps

12:43 <ekleog> pie__: you can sue the person who did it

12:43 <pie__> well, unless said person has some reputation to uphold

12:44 <pie__> ah

12:44 <pie__> so what if its some random chinese person

12:45 <gchristensen> (that sounds a bit racist?)

12:45 <gchristensen> part of the game is definite "Cover Your Ass"

12:45 <ekleog> now, maybe justice would accept other circumstancial evidence as proof it's indeed the committer even without signed commits, but it's not guaranteed -- in the same way it's not guaranteed that it would accept the signature as proof

12:45 <gchristensen> anyway, this fits in to how Debian manages contriburs

12:45 <pie__> gchristensen, maybe - something something chinese APTs in the news all the time

12:45 <pie__> no not really racist

12:45 <pie__> i mean you get american APTs as well

12:45 <ekleog> gchristensen: I think pie__ meant random person living in china (or russia for that matter) -- countries known to not be really willing to follow suits

12:46 <pie__> apt being advanced persistent threat

12:46 <pie__> and so on

12:46 <pie__> but yeah + ekleog

12:46 <gchristensen> sure

12:46 <gchristensen> we can't resist an APT

12:46 <pie__> well, cant we?

12:46 <gchristensen> I'm going to say no

12:46 <gchristensen> (and, we do have Chinese contributors already)

12:46 <ekleog> we don't have enough manpower for the time being

12:47 <pie__> but yeah im inclined to agree gien that i dont see how we could avoid the fundamental premise of a committer being to ...commit code

12:47 <ekleog> when we have enough manpower to require 3 reviews per contribution we can start thinking about defending against state adversaries

12:47 <gchristensen> (and Russian contributors)

12:47 <pie__> i didnt mean to imply that i have anything inherently against chinese or russian contributors

12:47 <pie__> and at least we have human readable code for the most part

12:47 <gchristensen> right

12:48 <ekleog> for now defending against the 6mo contributor turning wild is a good first step imo

12:48 <gchristensen> I don't think it is useful to bring country of origin in to this discussion at all, so let's just not do that

12:49 <pie__> ekleog, sure. also why i was vaguely wondering about some vague notion of capabilities systems - decrease key load.

12:49 <gchristensen> part of "blue team" (protection) is resisting attack, but also part of blue team is mitigating a successful attack, and also protocol of dealing with the results

12:49 <pie__> yeah

12:50 <pie__> i wouldnt mind red team but i dont have any experience and how do you even red team an open source project

12:50 <gchristensen> all of these are important components, and we don't have to imagine APTs

12:50 <gchristensen> there are simple exercises we could do

12:50 <pie__> like, could contributors agree to being red teamed

12:51 <gchristensen> for example, commit a patch direct to master which adds "malicious commit!" to a file and see what happens

12:51 <pie__> who gets on the red team, scope etc etc - probably a mess logistically

12:51 <pie__> i mean i have no idea what im talking about

12:51 <gchristensen> yes, it would need to be coordinated with the NixOS Foundation

12:51 <pie__> i guess pentesting the infra would be feasible

12:52 <pie__> but *shrug*

12:52 <gchristensen> but, red teaming is not useful unless the organization has operational plans and expertise in place already

12:52 <pie__> makes sense i guess

12:52 <xorAxAx> hmm, i presume the "person commits compromised code" is less likely than "person commits faulty code" or "attacker does MITM on the wire to send compromised code"

12:53 <pie__> gchristensen, sidenote, if we have fully reproducible infrastructure setting up a test environment should be fine

12:53 <pie__> xorAxAx, signing would prevent the last part depending on what you mean by on the wire?

12:53 <pie__> unless something something commits from github UI

12:53 <xorAxAx> pie__, does git check the signatures of signed commits on fetch?

12:54 <gchristensen> no

12:54 <xorAxAx> pie__, (it would also require git support in nix-channels)

12:54 <pie__> xorAxAx, oh im not sure. i think some people enable that but it might not be enabled by default

12:54 <gchristensen> for further discussion on GPG there is an RFC

12:54 <pie__> i think we should get that enabled by default tho if its not a huuuge perf hit

12:54 <gchristensen> https://github.com/NixOS/rfcs/pull/34

12:54 <{^_^}> rfcs#34 (by lrvick, 31 weeks ago, closed): [RFC 0034] Expression Integrity

12:55 <pie__> sidenote on the whole above discussion: not that we probably dont have enough low hanging fruit anyway - and im bad at keeping my head out of the clouds

12:55 <xorAxAx> ah, that sounds interesting as well - it would probably mean that untrusted expression acquiration channels are still supported

12:55 <gchristensen> pie__: :)

12:56 <xorAxAx> ... and secure

14:24 <simpson> pie__: Nix builds require an explicit list of build inputs, and otherwise a build cannot get a hold of a particular package. This is like closely-holding capabilities; by closely-holding packages, Nix treats (references to) packages as capabilities.

14:27 <simpson> As an example, a cheap result would be that breaking out of the Nix buildtime sandbox requires a buildinput which has some special sandbox-breaking ability; that ability can't be forged arbitrarily while following the rules of Nix.

14:30 <pie__> ok yeah that much makes sense to me and i figured the functional-like paradigm would yield something like that. but can we actually in practice restrict the language?

14:30 <gchristensen> what about the language?

14:30 <pie__> i mean can we restrict what any given piece of code does

14:30 <pie__> i guess you are limited to what you can do in the sandbox and to your output directroy

14:31 <pie__> *directory

14:31 <pie__> im not sure what problem im trying to solve though

14:31 <pie__> (modules are probably more interesting)

14:31 <gchristensen> modules have much greater authority

14:31 <simpson> pie__: We already do. Pick (almost?) any default.nix in nixpkgs, and you can tell what it does by the arguments it takes at the top.

14:32 <pie__> simpson, you can run arbitrary bash code wherever with an override?

14:32 <simpson> Nix wasn't *designed* for this, so it's not a reliable indicator, but this is the sort of concept I'm trying to get across: We know *exactly* what is passed from one object to another.

14:32 <pie__> simpson, yeah that at least makes sense to me

14:32 <simpson> pie__: Aren't those bash snippets sandboxed, though?

14:33 <pie__> yeah theyre sandboxed (everything is sandboxed, hence why im not sure what im trying to solve)

14:33 <pie__> i guess the problem is if you somehow make a bad executable that the user then runs normally. but im not sure anything can be done about that

14:34 <simpson> Ah, sure; we don't have anything that prevents somebody from uploading malicious patches and then causing downstream users to be exploited.

14:34 <simpson> I mean, we have *people* and *social processes*, but to me those are sources of, not solutions to, the security problems you've outlined.

14:35 <pie__> i dont think we disagree?

14:36 <simpson> Sure. This isn't an agree/disagree conversation.

14:36 <simpson> If you want a head-in-the-clouds idea, imagine binaries that statically promise to only use a certain subset of the syscall API.

14:36 <pie__> sure

14:36 <pie__> sounds good

14:36 <pie__> actually /me ponders

14:37 <pie__> also something something apparmor etc

14:37 <simpson> But Nix is a transitional capability system, not a perfect encapsulation. We have basically no power over the final binaries, other than the power delegated to the user to choose which binaries are in a given scope.

14:37 <pie__> stop me if this is going off on a tangent but i guess the holy grail of an attack would be to get something into a base package

14:38 <simpson> Sure. Compromising GCC or Clang would be a big deal.

14:40 <pie__> maybe im approaching this the wrong way - lets say we have a malicious comitter. what can they do any what can we do about it

14:40 <pie__> in a damage minimization sense

14:42 <gchristensen> one possible damage mitigation route is require more reviewers the more packages impacted

14:42 <simpson> Like, we've identified that a particular commit is malicious? We can revert that commit. We can mark the affected build outputs as tainted, removing them from Hydra and announcing the problem to users.

14:42 <gchristensen> a compromised leaf package is uninteresting

14:42 <gchristensen> (not good, but not the worst)

14:43 <gchristensen> a compromised stdenv is much more interesting as an attacker

14:43 <pie__> simpson, or that i suppose it splits into two scenarios 1) smash and grab - ideally someone notices quickly 2) low and slow / not noticed

14:43 <pie__> well im mixing up strategy and noticing which are orthogonal, but eh

14:43 <pie__> no. i mean there is a malcious commit we havent identified

14:44 <pie__> gchristensen, right

14:44 <simpson> pie__: Sorry, I don't want to analyze panic-driven or fear-driven models. We should be precise: What exactly do we want to not have happen?

14:44 <pie__> simpson, yeah, <pie__> no. i mean there is a malcious commit we havent identified

14:44 <pie__> thats what i meant

14:44 <simpson> There's a bit of an elephant in the room: None of us have *ever* read GCC front-to-back, and so none of us can really show that there's not already a backdoor.

14:44 <gchristensen> hehe

14:45 <pie__> simpson, sure. im not against you telling me something like "the problem is fundamentally flawed"

14:45 <simpson> pie__: Then I think that we treat it like a CVE or other security vuln in a leaf package, with the additional remediation step of auditing the original committer.

14:45 <pie__> i havent been able to pin it down myself.

14:46 <pie__> i think my best summary was still "you have unnoticed Bad Things (malicious comitter / comitter with compromised machine /etc). what can you do about it?"

14:46 <pie__> emphasis on unnoticed because im interested in prevention

14:46 <pie__> not remediation

14:47 <simpson> pie__: Rely on the free capability theorems. If a user doesn't use the compromised package, then they're unaffected. If a user doesn't call the uncompromised package outside of build steps, then they are only affected for those particular built packages' outputs.

14:47 <pie__> (though being able to do the latter is of course still important)

14:48 <simpson> Think of the water balloon and the sponge. Both leak when stabbed by knives. The water balloon has no internal structure, so it fails completely; the sponge has internal structure which naturally (automatically!) resists leaking even when damaged.

14:49 <pie__> simpson, i think its a fair assumption that an "important" package is targeted, for some value of important, otherwise the scenario is pointless?

14:49 <pie__> like, some web server or whatever even, its not a core OS package

14:50 <simpson> pie__: RFC 34, which I'm still examining, suggests that leaf packages like Bitcoin wallet managers will be prime targets.

14:50 <gchristensen> pie__: have you read how Debian vets new packages and new contributors yec?

14:51 <pie__> gchristensen, no, guess i should up the priority on that?

14:51 <pie__> ive mostly been fighting with go2nix alld ay

14:51 <simpson> They are focused on attacks against the users' homedirs which exfiltrate data, and I think that the design of Nix prevents that without having the user actually run the targeted leaf package.

14:51 <gchristensen> pie__: this conversation would be more profitable if we continue it after you read it

14:52 <gchristensen> simpson: bitcoin wallet managers are doing a good job of being vulnerable on their own without needing to target a package manager ;)

14:52 <pie__> heh^

14:52 <pie__> i mean i really havent said what "a malicious commit" means. i guess as we touched on, there isnt anything that could be done from the nix side to prevent run time (patched) malicious code problems.

14:53 <pie__> other than using runtime capabilities - selinux, apparmor?

14:53 <gchristensen> in the NixOS case, that would help yeah

14:53 <pie__> maybe using nix could make managing that a lot better though?

14:53 <pie__> theres probably been discussions on this but i havent thought / remembered to look at them

14:53 <gchristensen> an important thing is Nix doesn't _have_ a runtime. it evaporates at the end

14:53 <pie__> gchristensen, sorry by runtime i mean running a program

14:54 <gchristensen> right

14:54 <gchristensen> I know

14:54 <pie__> ok i dont follow

14:54 <gchristensen> if Nix had a runtime (like Docker) then it could do some magic around enforcement, but Nix is out of the picture at the program's runtime

14:54 <pie__> ah. thats fine i think?

14:54 <pie__> this space should be covered by the kernel?

14:54 <gchristensen> well it is a trade-off. I happen to think the right one

14:55 <gchristensen> Nix could provide tools for to easily reduce the executable's privileges

14:55 <pie__> hm - or rather, ideally anything except the very base enforcement code would be outside the kernel

14:56 <simpson> gchristensen, pie__: Did anybody actually post the DD checklist? https://www.debian.org/devel/join/nm-checklist

14:56 <gchristensen> thanks, simpson

14:56 <pie__> ok i added redaing the debian vetting and apparmor/selinux/capsicum/etc to my todo

14:56 <pie__> simpson, thanks

14:56 <pie__> was there a third thing?

14:56 <pie__> *ok i added reading

14:56 <gchristensen> firejail

14:57 <pie__> we didnt talk about that, but maybe there wasnt a third thing, but ok ill check out firejail too (ive heard of it)

14:57 <pie__> (also anything else is fine, i just thought i forgot something

14:57 <gchristensen> ah, I was alluding to it at 14:55 <gchristensen> Nix could provide tools for to easily reduce the executable's privileges

14:58 <simpson> Reminds me of applying to university. A portfolio, some identification and vouching from prior graduates, and an essay on why you'd be good for the university.

14:58 <pie__> a question is how not to wreck usability for normal users, but thats probably discussed plenty elsewhere

14:59 <ekleog> firejail has the design issue that it requires to elevate privileges in order to drop them

14:59 <gchristensen> hehe true

14:59 <pie__> ekleog, ironic

15:00 <ekleog> if someone wants to make a GUI for https://github.com/Ekleog/toboggan/ , it's all that's missing for it to be able to replace firejail without this privilege escalation :p

15:00 <ekleog> (2 years ago already… :( )

15:00 <ekleog> based on seccomp + ptrace to filter syscalls

15:01 <pie__> (tell me when Qtah (an acquaintances WIP haskell qt binding) is finally usable :P)

15:01 <ekleog> and/or the Mbox I linked in the readme when I gave up on writing the UI because I'm bad at finishing stuff

15:05 <pie__> ok so if we have runtime capabilities that could (?) reduce cross-package damage

15:06 <pie__> so you wont get so pwned by some random app you download unless its the kind of thing that fundamentally requires system acces

15:07 <pie__> *full system/etc

15:07 <simpson> pie__: Sure. But that is the realm of CloudABI, Capsicum, and other rewrite-required solutions. In fact, it's *expected* that taking advantage of capabilities means rewriting code.

15:08 <pie__> hm

15:08 <simpson> (It's very curious to hear phrases like "how not to wreck usability for normal users" given that Nix, as a capability system, *intentionally wrecks the 'normal user' experience*.)

15:08 <pie__> just because nix is hard to use now doesnt mean it has to be later

15:09 <simpson> Not hard, but *different*. Requiring rewrites, requiring UX changes.

15:09 <pie__> simpson, im not sure what you scoped "rewrite required" to re: capsicum

15:10 <globin> pie__: you might be interested in the SELinux RFC

15:10 <pie__> i dont know anything about this stuff but you could for example just hide files you dont have capabilities for, for example, as opposed to needing to rewrite the api? i imagine this is what selinux and the like might do since i dont think i saw anything about selinux causing a rewrite and its kernel side

15:11 <pie__> globin, ah, makes sense then. ill definitely check that out

15:12 <pie__> i guess this all fundamentally is coming down to compartmentalization.

15:12 <pie__> that makes some sense, if you have a malicious actor whos behaviour fundamentally intersects with what they are supposed to be doing anyway

15:12 <simpson> pie__: Sorry, I don't know how to get this across the language barrier, but you need to turn your thinking inside-out here. In a capability-aware world, any object (including user agents!) can do exactly what it currently has the ability to do. Nothing more or less. http://habitatchronicles.com/2017/05/what-are-capabilities/ might help.

15:13 <pie__> simpson, thats what i expected? my model is "here is a bag of functions, you can call them."

15:14 <pie__> "you cant construct your own functions, etc etc"

15:14 <pie__> thanks for link