Torrenting security patches
Cameron Dale
camrdale at gmail.com
Wed Sep 19 18:08:03 UTC 2007
On 9/18/07, Steve Cotton <steve at s.cotton.clara.co.uk> wrote:
> I'm worried that DebTorrent could be used to select targets for
> remote-root exploits. By joining the swarm shortly after a
> package is updated, an attacker will find out which peers have
> downloaded the vulnerable version of the package, but not the new
> version.
Thanks fo bringing up this concern Steve, it has not been mentioned
before. I've been thinking about this for a bit, and though I was at
first concerned, I don't think it's as bad as it seems.
For stable, the problem is mostly solved by not using DebTorrent to
distribute the security updates. Though you could still determine who
was using the vulnerable packages, you would not know who had not yet
installed the fixed version.
For testing/unstable in the current version, the changing of a package
means a new torrent is created, so no one will be in a torrent that
contains both the old version and the new version. To find machines
that haven't updated, an attacker would have to know which torrents
contain the vulnerable version of the package, and then scan each of
them looking for peers that have that package installed. For
testing/unstable in the upcoming (unreleased) version, where torrents
are more long-lived with multiple versions of a package in a single
torrent, this will be more of a problem.
Though not as bad as I first thought, the situation is not ideal, so
I'm open to ideas on how to improve it. One possible solution might be
to allow peers to inform other peers that their package is out of date
or vulnerable. At that point the peer could automatically update to
the new version, or (for security vulnerabilities) stop informing
other peers that it has that vulnerable package.
Cameron
More information about the Debtorrent-devel
mailing list