2013-08 DevSummit Security session

Topics to discuss

/dev/random session

Mitigation topics

General security topics

Topics:

Report

In total, there were three security-related sessions: one on each day of the summit.

Monday, August 26th

Notes taken by SofianBrabez originally in text/x-zim-wiki syntax, partly moinmoinified by DagErlingSmørgrav

Present

/dev/random

See /DevRandom

mitigation session (25min)

ST

Probably for 11.0

rwatson: Use randomness for ASLR in process and kernel markm : RC4 random (dedicated register) use for mititation and aslr randomness in user mode, /dev/random unblock

Recent:

LT:

Tuesday, August 27th

Whiteboard photos:

Present:

DNSsec (55min)

Mitigation (no time)

Package NG signing + CA (1h)

des: libfetch in 10.0 can verify certificate, where we ship the certificate ?! bz: insane to put cert in DNSSEC record rwatson: digital signature ?! bapt: I just need to sign the metadata ?! des: you have to sign packages as well too bapt: already to be able to sign the catalog des: we have around november because pkgng is a port bapt: introduce simon bytesync python tool => we don't need to use SSH to copy thing.

pjd: LT when using mirrors compromised ? will be a problem / replace a package corrupted

Both ways are OK * easy way

* hard way

future:

10.0 Operational TODO:

10.0 Developer TODO:

10.0 impossible things:

Authentification (no time)

CPE (5min)

Conclusion: just start adding CPEs and worry about how to use them later.

Conclusions / Consensus:

Package signing breakout session

Result Summary

We will have a short-term plan for 10.0 that isn't pretty but allows us to securely update packages and pkg infrastructure in the field (pkg signing for 10.0.jpeg).

We also need a longer-term plan that we can implement for e.g. 11 (longer term pkg signing plan.jpeg).

Notes

Current state

A package currently contains:

digest.txz contains:

Packagesite.txz contains:

Future changes

In the future, digest.txz and packagesite.txz should both be signed.

/usr/local/etc/pkg.conf on client should support:

Signatures are RSA, created with OpenSSL

TODO for 10

/etc/pkg/keys/ - OpenSSL public keys

/etc/pkg/freebsd.conf "enable: true" to enable official repo

Bootstrapping relies on:

Need to record which key/certificate created each signature

Signing service needs building - clusteradm (Juniper/pjd?)

Digests need to contain (pkg, reposet, signatures, signature datestamp)

Compromised package sets notified via "pkg audit", plus security advisory etc

packagesite.txz should contain previous "bad" backage set details

packageset.txz also contains cert/signature mapping

poudriere: ports->packages->repo. Signed. (cert, sig) given to pkg update.

clusteradm will have key on signing server. so@ will keep copy encrypted against so@ pgp key, just in case.

TODO beyond 10.0

OpenSSL doesn't support attribute certificates, so we need to hack around it.

Result: FreeBSD CA only signing configuration files. Chain of trust deliberately broken via signing fingerprint files so that lower certificates are untrusted to tools that don't understand how the chain works

201308DevSummit/Security (last edited 2013-09-11 12:10:48 by MariuszZaborski)