#nixos-security on 2019-05-14

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

01:53 Synthetica has quit [Quit: Connection closed for inactivity]

04:29 copumpkin has quit [Ping timeout: 246 seconds]

08:52 justanotheruser has quit [Ping timeout: 255 seconds]

09:01 pie__ has quit [Ping timeout: 258 seconds]

09:07 pie___ has quit [Ping timeout: 258 seconds]

09:21 Synthetica has joined #nixos-security

09:59 pie_ has joined #nixos-security

10:02 pie__ has joined #nixos-security

10:04 pie_ has quit [Ping timeout: 245 seconds]

10:20 <pie__> in the news, though i suppose youve already seen: chosen prefix attack on sha1

10:22 <pie__> or something

10:22 <pie__> https://eprint.iacr.org/2019/459.pdf

10:22 <pie__> actually hold on, this looks like it predicates on already having a collision?

10:23 <pie__> " In particular, we have a chosen-prefix collision attack againstSHA-1with complexity between 266.9and 269.4(depending on assump-tions about the cost of finding near-collision blocks), while the best-known attack has complexity 277.1. This is within a small factor of thecomplexity of the classical collision attack onSHA-1(estimated as 264.7).This represents yet another warning that industries and users have

10:23 <pie__> tomove away from usingSHA-1as soon as possible"

10:24 <pie__> thats to be read as 2^66.9 and etc

10:25 <pie__> not sure what implications this had for git

10:27 <pie__> random google yields https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt but "Add SHA-256 support to Git protocol." is a non-goal in that document

10:27 <pie__> "This is valuable and the logical next step but it is out of scope for this initial design."

12:12 <infinisil> I'm surprised the paper doesn't mention git

12:21 <gchristensen> infinisil, pie__ https://github.blog/2017-03-20-sha-1-collision-detection-on-github-com/

12:23 <pie__> didnt know this "Why do collisions matter for Git’s security?

12:23 <pie__> If a Git fetch or push tries to send a colliding object to a repository that already contains the other half of the collision, the receiver can compare the bytes of each object, notice the problem, and reject the new object. Git has implemented this detection since its inception."

12:23 <gchristensen> git's store is content addressed, so why bother sending (or receiving) an object you already have

12:24 <pie__> well yeah

12:24 <pie__> so does that mean when you push you retrieve an list of remote hashes?

12:24 <pie__> or..hm

12:25 <pie__> i guess you wouldnt need to since you have a remote pointer and a local pointer and can just send whats in between

12:25 <pie__> well, i should look up how git syncing works if i want to know

12:25 <pie__> that mitigation seems to be specific to SHAttered though

12:26 erictapen has joined #nixos-security

12:26 <pie__> "The Git project is also developing a plan to transition away from SHA-1 to another, more secure hash algorithm, while minimizing the disruption to existing repository data. As that work matures, we plan to support it on GitHub." seems encouraging

12:26 <gchristensen> it is a bit complicated because all the old hashes will still exist

13:04 justanotheruser has joined #nixos-security

13:12 erictapen has quit [Ping timeout: 258 seconds]

13:47 erictapen has joined #nixos-security

14:31 erictapen has quit [Ping timeout: 244 seconds]

15:17 erictapen has joined #nixos-security

15:39 pie___ has joined #nixos-security

15:41 pie__ has quit [Ping timeout: 255 seconds]

16:35 pie__ has joined #nixos-security

16:37 pie___ has quit [Ping timeout: 246 seconds]

16:58 andi- has quit [Remote host closed the connection]

17:06 andi- has joined #nixos-security

17:12 pie__ has quit [Ping timeout: 258 seconds]

17:15 pie_ has joined #nixos-security

17:17 <andi-> https://zombieloadattack.com/#demo

17:17 <gchristensen> cool cool cool

17:17 <pie_> oh geez is this another cpu thing

17:17 galaxie has left #nixos-security [#nixos-security]

17:18 <gchristensen> I thought everybody turned off hyperthreading by now

17:18 <pie_> ah, its from the usual crows

17:18 <andi-> You are still using computers? :D

17:18 <pie_> * crowd

17:21 <gchristensen> let's all just dump this nixos stuff and adopt templeos

17:21 <gchristensen> no worry about processor attacks when you can just read memory from any process at any time

17:21 <pie_> lol

17:21 <pie_> "We are the first to do post-processing of the leaked datawithin the transient domain to eliminate noise."

17:22 <pie_> (well, they did put that as the last item)

17:22 <pie_> i kind of meant that as "duh", but maybe its not so "duh"

17:24 <pie_> hm. too bad im preoccupied with other stuff i guess

17:24 <pie_> funny that I just put Computer Architecture: A Quantitative Approach on my desk again today

17:28 erictapen has quit [Ping timeout: 268 seconds]

17:40 erictapen has joined #nixos-security

17:49 erictapen has quit [Ping timeout: 246 seconds]

17:50 erictapen has joined #nixos-security

17:58 <pie_> huh this seems a pretty decent summary of multi factor authentication stuff https://blog.dcso.de/modern-authentication-services-more-than-passwords-plus-smart-card/

18:08 erictapen has quit [Ping timeout: 245 seconds]

18:09 <Foxboron> gchristensen: I'm considering taking up wood chopping.

18:09 <Foxboron> No worries about reading memory when there is none.

18:09 erictapen has joined #nixos-security

18:10 <gchristensen> still have rings of privilege though

18:11 <gchristensen> and hope those bugs don'tget past the outer rings

18:11 <Foxboron> Nothing to exploit if we just remove everything and the stem.

18:13 <pie_> https://mdsattacks.com/

18:13 <Foxboron> and https://cpu.fail/ :)

18:15 <pie_> "how did you test it on all this hardware" https://mdsattacks.com/images/rack.jpg

18:15 erictapen has quit [Ping timeout: 246 seconds]

18:17 <pie_> nice https://mdsattacks.com/images/patents.jpg

18:17 erictapen has joined #nixos-security

18:18 <pie_> gchristensen, do we have a nixos flag yet for fix_all_my_shit_i_dont_care_if_its_slow?

18:18 <pie_> because i havent been keeping up with mitigations

18:24 <pie_> how do i disable hyperthreading anyway

18:25 <pie_> unrelated: can we / do we blacklist known vulnerable kernel modules

18:26 <samueldr> there is at least `boot.initrd.luks.mitigateDMAAttacks` I know of

18:26 <samueldr> but here it's vulnerable _as designed_

18:30 <pie_> <gchristensen> I thought everybody turned off hyperthreading by now

18:33 Synthetica has quit [Quit: Connection closed for inactivity]

18:36 <samueldr> https://sites.google.com/a/chromium.org/dev/chromium-os/mds-on-chromeos

18:36 <samueldr> To protect users, Chrome OS 74 disables Hyper-Threading by default. For the majority of our users, whose workflows are primarily interactive, this mitigates the security risk of MDS without a noticeable loss of responsiveness. Chrome OS 75 will contain additional mitigations.

18:36 <samueldr> turns out google does :)

18:36 <samueldr> (for now)

18:36 <pie_> yeah so how do we :p

18:36 <pie_> or how do i i mean

18:36 <pie_> im kind of lazy / preoccupied to start googlign thart

18:37 <samueldr> AFAIUI the bios setting is the right one

18:37 <pie_> the blacklisted kernel modules thing was a throwback to the RDS thing yesterday

18:57 <pie_> <ggreer> The following packages will be upgraded:

18:57 <pie_> <ggreer> ... intel-microcode ...

18:57 <pie_> <ggreer> oh shit. what happened now?

18:57 <pie_> looks like debians got updates

18:57 <pie_> not surprising given the embargoed distro list i suppose

19:50 pie_ has quit [Ping timeout: 258 seconds]

20:40 <samueldr> https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html

20:42 <samueldr> and /sys/devices/system/cpu/smt/ for runtime things

20:42 <samueldr> too bad pie_ left

20:43 <samueldr> more details about the sysfs nits here https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html#smt-control

21:04 pie_ has joined #nixos-security

22:42 erictapen has quit [Ping timeout: 244 seconds]

23:52 pie_ has quit [Ping timeout: 258 seconds]