[Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

Matthias Beyer mail at beyermatthias.de
Thu Mar 10 14:23:52 CET 2016


On 10-03-2016 07:43:00, Kevin Cox wrote:
> On Mar 10, 2016 5:28 AM, "Eelco Dolstra" <eelco.dolstra at logicblox.com>
> wrote:
> >
> >
> > In the future Nix will probably store binary cache signatures in its
> database,
> > and provide a command to check local paths against binary caches.
> >
> 
> The problem with this is that if you are running a local command to
> validate signatures you need to trust the local command which you can't.

That's what I see as well.

> 
> I'm not saying that it is useful to provide these tools but if you are
> paranoid enough the only safe thing to do once you suspect someone has
> comprised your box is to burn it. Another alternative which runs the risk
> of not checking that firmware hasn't been modified is mounting the disk in
> a trusted system and running the check from there.
> 

That's what came to my mind as well.

The reason for my question is: I just started my bachelors thesis and I'm
working on agent based security audits for cloud environments. I just started
with reading the material out there, but as far as I can see by now, the audit
is done by "agents" which are "moved" to a virtual machine. All the dependencies
for the agent must be installed, but in the proposed environment, the packages
the agent uses are the same as the software running on the VM uses.

The idea is to seperate the agent-dependencies from the service-dependencies,
and giving the agent the possibility to verify the dependencies it uses. With
nix as package manager for the agent-dependencies, I would be able to have
reproducibility (if the agent detects an incident, the admin may freeze the VM
and is now able to use the very same toolset the agent has used, to audit the VM
by hand and detect security vulnerabilities etc) and maybe even the possibility
to check whether the dependencies itself were compromised, to be more secure.

From what I can see, you cannot say "machine X was not compromised" if your
check runs from machine X itself.

This is a theoretical work and not based on existing technology (at least what
I can see by now).

-- 
Mit freundlichen Grüßen,
Kind regards,
Matthias Beyer

Proudly sent with mutt.
Happily signed with gnupg.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160310/c2ff7f6e/attachment.bin 


More information about the nix-dev mailing list