Porteus

Hello everybody.

I am here to post part of a conversation I have had with Fanthom regarding the security (or lack of it) of Porteus packaging process.

Porteus is more or less a comunity proyect, so everybody who has
something to contribute with is encouraged to help, isn't it? Well, I
find that this is a very "beautiful" approach, but it brings to my mind
some worries. If *everyone* can contribute with code, patches, modules,
etc...what is preventing a bad guy to package a module including a
Troyan Horse inside, then upload it to Porteus?

Worse yet, in this site
(http://forum.porteus.org/viewtopic.php?f=53&t=640) you [Fanthom] ask
your contributors for binary modules, which could easily conceal
malware! Wouldn't it be better for everybody if contributors just
uploaded the code -which procedence can be easily confirmed- and
a script to package it? That way, it would be harder for the bad guys
to pass malware into the official software.

I would like you to think about it. Experience shows that any site that
allows all its users to post whatever software they want for download
ends up hosting lots of malware. Unless you trust ALL of the
contributors, a little control is called for in order to have some peace
of mind. Accepting binary stuff without question is no good at all.
That is why sites like slackbuilds.org exist: they just provide you
with a small script that can be easily audited, then tell you where to
find the source and get it from the upstream author. No third person is
going to put evilware between you and upstream this way.

[...]

I think the most basic meassure to take would be to just avoid binary
stuff submitions. A binary could have the Four Riders of Armageddon
inside and you wouldn't know. If developers only accepted a build
script (think about slackbuilds.org) and a link to a *reliable and
verificable* source, then the chances of a comunity buddy including
evil things gets drastically reduced. Patches could be distributed
separated from the source (after all, they are supposed to be more easy
to audit than the whole code of, lets say, the Linux Kernel). This way,
Porteus wouldn't need to place its whole trust in the good will of
external contributors, and all the build and changes submition would be
done by a reduced team of (hopefuly) honorable people.

Verifying the scripts and the sources hashes takes no so much time. Im
not so sure about the patches. What I know about code can be written in
a very small place, so I think this kind of thing is better discussed
by the people who does the actual work. These are only my 0.02 pounds.

Please, share your thoughts.

I am agree with that.

That why there are some ranks on the forum.
Only the "verified and tested" modules are published on the official repo.

The devloppers check every patch/modules before to add it on the official for some reasons,

1) Checking of malware
2) Checking if it is possible to strip the module (smallest size required)
3) Check if the module do not erase/remplace any "important" files like boot scripts (rc.*)
4) Check if the module/patch cannot make another "bug"
5) Check if the user can install/remove it easily without problem.

There are also some others reasons...

Cheers!

Hamza wrote: The devloppers check every patch/modules before to add it on the official for some reasons,

1) Checking of malware
2) Checking if it is possible to strip the module (smallest size required)
3) Check if the module do not erase/remplace any "important" files like boot scripts (rc.*)
4) Check if the module/patch cannot make another "bug"
5) Check if the user can install/remove it easily without problem.

Good to know the packages are well tested.

However, how could someone check a xzm package for malware? (see point 1)

What I mean is, if I posted a binary package in the topic I linked to in my first post, (maybe to fix a bug in netfilter?), how do you ensure that the bugfix is indeed a bugfix, and not something designed to open a backdoor in netfilter?

The security fix need to be checked by the main developpers (fanthom and brokenman).

And, Netfilter (IPTable) are using a config with all ports allowed (all others port are disallowed).

Looks in /etc/rc.d/rc.FireWall

Moderator Note :
This topic have been moved from "Development" to "General Chat"
Reason : It is not about a development.

Cheers!

hello BlackRider,

thanks for your input. will try to answer your questions the best way i can.

"what is preventing a bad guy to package a module including a
Troyan Horse inside, then upload it to Porteus?"

every module which goes to official repo is checked either by me (64bit repo) or brokenman (32bit one). this may be not enough as malicious code can be hidden deeply in the module and activate after - let's say - 30 days or so. unfortunately that's all what we can do about it due to lack of manpower in the project.
obviously, we are not able to check what packages are hosted in the private user repos so users must be just careful with these.
Moreover - when you go through 64bit official repo you will see that majority of packages comes from official slackware repo or from ponce's one (ponce is a guy who i trust more than myself). The risk of getting malicious code into official repo is minimal - IMO.

"Worse yet, in this site
(http://forum.porteus.org/viewtopic.php?f=53&t=640
) you ask
your contributors for binary modules, which could easily conceal
malware!"
this is how it works:
i'm the guy who is checking the patches in first place (usually in Virtualbox), if patch gets accepted then it goes to /testing branch where it can be reviewed by other users:
http://ponce.cc/porteus/x86_64/testing/1.0-fixes/
if no issues are found then it get's merged to next release (we have 6 mothts development cycle so it should be enough to catch up the bad code).
patches comes in xzm format as i find it handy to place them in /porteus/modules folder and test straight after boot.
btw: "patch" does not mean a diff, in this context it means a "patch" to our layered porteus filesystem (can be an icon, text/config file, also binary application). i have used this word as couldn't find better one for describing this functionality. do we really need a slackbuild for couple of configs/icons/doc files?

Porteus vulnerability:
xzm format brings some risk: 'activate' script is run with root's privileges (only super user can add new branch to the aufs) so 'bad guy' can wipe off our hard drive (or at least mess up MBR) easily with simple bash script.
There is no chance to avoid that - this is how modular system works.
Conclusion: if you dont trust the xzm then test it in Vbox or at least unsquash and check it's content.

Good things about Porteus:
Porteus comes as read-only by deafult, only changes could be infected by keylogger or other crap so if you want a higher level of security just use 'Always Freash' mode for each run. this wont protect you fully, but at least you can be sure that you are not carrying a malware luggage from the previous sessions.

This is theory - now the practice:
Slax's users repo is opened for contributions from everyone (you can register an account and upload fake module 1 min later) from more than 2 years and i have never seen any report about malicious software on the forum. Slax is way more popular than Porteus so i think we are not a valuable target for the bad guys (yet).

in my opinion the risk of being infected with malware is very minimal at the moment for Porteus users. it does not mean that we can forget completely about this subject.
If any of you have an idea what we can do more to protect Porteus project please don't hesitate to share.

Cheers

I agree with you, fanthom. In my opinion, downloading an .xzm from a user repo carries the same risk as downloading a .txz, .deb, .rpm, etc., from some a user repo from another distro (which, also IMO is safer than downloading pretty much any piece of Windows software from some random guy's website).

I think that brokenman's PPM V1.1 will lower the user's exposure because it will provide the ability to download and convert a wider range of programs from known and trusted repos, so users are less likely to go to a user repo for a package.

If I'm not mistaken, every patch that has been uploaded for 1.1 thus far has been in the form of text files compressed inside xzm modules, which can be reviewed the same as a source file or build script, once loaded. One exception (at least) is the linuxrc fix, which is a text file inside an xz compressed ramdisk image -- so it's a little harder to read (but the source is still there -- and it came from our chief maintainer!).

All that said -- we do need to be ever watchful, especially as the user base (and, hopefully, contributor base) grows larger.

Well, lets take this easy.

every module which goes to official repo is checked either by me (64bit repo) or brokenman (32bit one). this may be not enough as malicious code can be hidden deeply in the module and activate after - let's say - 30 days or so.

Exactly!

Porteus vulnerability:
xzm format brings some risk: 'activate' script is run with root's privileges (only super user can add new branch to the aufs) so 'bad guy' can wipe off our hard drive (or at least mess up MBR) easily with simple bash script.
There is no chance to avoid that - this is how modular system works.
Conclusion: if you dont trust the xzm then test it in Vbox or at least unsquash and check it's content.

That is not a Porteus vulnerability. Any distribution requires the user to have some privileges in order to install stuff. If you install a well crafted Troyan as root, the installer uses its root privileges to invade your computer. It could trick your processs trackers, file managers and other apps to make you think nothing has changed aside from the install you have done. The only way you would notice is by booting from another medium and checking the filesystem out, maybe with aide or a similar program. I think rootkit hunters can be of some help, but if you are the objetive of a targeted attack, the first thing the bad guys will break will be your security meassures (if a distro brings them by default). Remember: the guy who uploads a malicious module for Porteus knows its target and were to strike. It is not a robot attacking random computers with the hope of finding a soft spot in one.

The Lord of Darkness could be concealed inside a binary and you wouldn't notice in years, unless you used Porteus in pair with an IDS hosted in another computer, or took another kind of paranoid approach. Even if you unsquashed the module, how would you find the Lord of Darkness who hides into a binary file?

Good things about Porteus:
Porteus comes as read-only by deafult, only changes could be infected by keylogger or other crap so if you want a higher level of security just use 'Always Freash' mode for each run. this wont protect you fully, but at least you can be sure that you are not carrying a malware luggage from the previous sessions.

If the malware was installed in the default porteus, because you did trust someone you shouldn't, then this is of no help.

By the way, I use Porteus by loading it into RAM and then unplug the USB unit. No changes get saved.

In my opinion, downloading an .xzm from a user repo carries the same risk as downloading a .txz, .deb, .rpm, etc., from some a user repo from another distro (which, also IMO is safer than downloading pretty much any piece of Windows software from some random guy's website).

That's why I like slackbuilds way. A link to the code's web site and a build script that can be easily reviewed. Chances of inffection by malicious packagers get reduced almost to zero. It is even more secure that trusting Debian or Red Hat packagers to be good guys.

Maybe the users should be encouraged to post their repos this way.

do we really need a slackbuild for couple of configs/icons/doc files?

The danger is mainly contained in executable files. Plain text files, images, sount etc.are not so likely to have a Lord of Darkness inside. I think you don't need a porteusbuild for them, but if someone offered to upload a package sniffer, then you should be careful with it.

Looks like fanthom said what I think.

Thanks fanthom.

Worse yet, in this site
(http://forum.porteus.org/viewtopic.php?f=53&t=640) you [Fanthom] ask
your contributors for binary modules, which could easily conceal
malware! Wouldn't it be better for everybody if contributors just
uploaded the code -which procedence can be easily confirmed- and
a script to package it? That way, it would be harder for the bad guys
to pass malware into the official software.

I agree with this sentiment, which is part of the reason why I'm working on a scripted build environment.
http://porteus.org/forum/viewtopic.php?f=53&t=662

So in theory, patches would would actually be submitted as patches to the build scripts or as patches to the module's source code. That way it would be easy to verify exactly what had been changed.


Of course, this will always come down to trust.
http://cm.bell-labs.com/who/ken/trust.html

Every distros suffers the same danger mentioned here. It is important to have a thread that brings this to the attention of everyone. I remember on slax i found a potential threat in the way users could upload modules directly to the server. If one packed a module with malicious code that took advantage of the way ldd processed the modules, he could gain access to the server and go to town.

I believe we are safe from danger within the vanilla ISO that gets released. Building from the ground up, after a while you get to know the guts like the back of your hand (more so in fanthoms case than mine). These ISO's are tested thoroughly and all externally supplied patches (so far) have been in the form of easily readable text. The third party modules are what we need to pay attention to. While i don't believe (in our system) we will ever be able to stop someone installing a bad module onto their system, we can minimize the risk. The package manager leaches off of other existing and well trusted repos, and converts the files into Porteus modules so in this respect we are at least as safe as the repos we use.

We can never keep users safe from themselves. Nobody can. All we can do is look after our own front door and do our best to keep the ISO clean. Perhaps a built in rootkit cleaner wouldn't be a bad idea ... but even this isn't going to stop the latest mutations of a well coded kit. Thanks for scaring the shit notifying us of this weakness Darkhorse.

@BlackRider
"That is not a Porteus vulnerability. Any distribution requires the user to have some privileges in order to install stuff."
yes you are right. my point was to show that in case of Porteus the attack can be done in a really easy way even for bash beginners. check "find_n_run_scripts()" function in liblinuxlive which is executed during every activation of a module. no need to hide any trojans inside binaries, no need to posses a real cracker skills.
users must be aware of this and know what to check first:
all scripts in /etc/rc.d should be audited before activating a module from untrusted source.

btw: slackware does similar thing with /install/doinst.sh script executed after 'installpkg *.tgz/txz' command.

"If the malware was installed in the default porteus, because you did trust someone you shouldn't, then this is of no help."
another good point.
as i said before: packages which goes to ISO and official repo comes from a) official slackware repo, b) ponce's repo, c) are compiled manually be me/brokenman.
so far community effort comes in shape of scripts, txt files, images which should be ok.
even if someone would be working on patching for example xorg and deliver a binary here, i would redirect his work upstream (where it could be audited by relevant persons) instead of including it in Porteus.
as of the above: the risk of getting malicious software into Porteus ISO is minimal.
i'll pay more attention to the repo now and try to avoid precompiled packages from sources different than slackware/ponce/slacky.eu

as brokenman said - our PPM is growing with features and support for other repos. hopefully users wont have to search google for packages/modules which comes from random and less trusted sites.

this thread is a "must read" for every user. i'm making it "Sticky".

@BlackRider:
You seem to have Windows Paranoia; we Porteus people, are not "Bad Guys" and, as our administrators already said, we know this little -yet effective- operating system in every detail. It is our labyrinth and chances are, that somebody will try do harm the system, but not yet (we are still an insignificant group).

If you experience an abnormal behavior of Porteus at any time, just throw the big switch off and start anew in Always Fresh mode and erase your changes-dir and that's all. That's the beauty of Porteus. By us you will never have to reformat your hard disk nor scan for viruses or worms.

If you want to enjoy your computing, just switch to Porteus and forget Malware and Bad Guys (these are Windows illnesses); concentrate on advances, new achivements, conquer the world!

Welcome to Porteus!

Cheers!

If you think there is a hole on your system, you can protect it by two ways.

You can conceal it so nobody will notice it exists ("We are an unknown team, so if we stay unknown, no bad guy will find us").

You can cover it with a titanium seal, so even if the bad guys find you, they won't be able to take advantage of the hole ("We have a so secure policy that no bad guy will be able fo do harm even if he tries").

The "Linux has no virus" and "We are not a target" is probably true for now, but acting as if there was no danger at all is not smart. OpenBSD packagers have been known to be paid for putting backdoors by the FBI. My firewall and IDS block LOTS of suspicious connections everyday. Call it paranoia if you want, but there are enemies outside. Those who act like preys are preys. Those who protect themselves are less likely to be attacked.

@BlackRider,

You are right here.

I prefer this option
You can cover it with a titanium seal, so even if the bad guys find you, they won't be able to take advantage of the hole ("We have a so secure policy that no bad guy will be able fo do harm even if he tries").

But,

I think, we need to implement a security in activation script to disallow the "overwrite" function or maybe make a "UAC" for Porteus. That will be more usefull to have a "UAC" like Ubuntu..

Thanks for share your ideas!

maybe make a "UAC" for Porteus
WTF?

You can cover it with a titanium seal, so even if the bad guys find you, they won't be able to take advantage of the hole.
No matter how good you think you are .... there is someone better around the corner, and they will find a way in if they really want it.

No backdoors will be built into Porteus ... that can be guaranteed. The major flaw that a modular system has is having a modular system. What our users have to learn is how to make sure they are safe when using 3rd party modules.

For example the following code was used in a mailing list explaining that if it is run, will get you root with a shell:
I have altered the code slightly to render it unworking.
Hidden within this hex is really: rm -rf ~ /

Or what about this oneliner: This could be easily obfuscated in a simple script within a module. This uses a letter shift to disguise deleting everything once again. These are not so harmful on Porteus running in Fresh Mode but you get the picture. NEVER run a module or any code that you aren't sure is safe. This means it is from a trusted source or you built it yourself.

HOW TO RUN PORTEUS SAFELY:
I run porteus in 'Always fresh mode` as a guest. If i want to save something, i save it to a hard drive (outside of Porteus) or i run the 'save changes' function and give the changes file a version (e.g date +%y%m%d). When i have over 5-6 changes file i will merge them and remove any garbage.

Learn how to dismantle modules and checkout the internals. Ahau has written a nice tutorial on this (see docs section). Similar to walking, once you become familiar with the basics, it gets harder for someone to trip you up. More to come ....