A report examining the security of the Linux kernel version signing process highlighted a range of areas for improvement, from failure to require the use of hardware security keys for authentication to use static keys for SSH access.
The Linux kernel is at the heart of a multitude of modern technologies, from on-board gadgets and network equipment to supercomputers. Its wide deployment makes it a tempting target for scoundrels, as was made all too evident in 2011 when attackers gained root access to key servers used in its development and distribution.
In response to this violation, tracing back to a Trojan installed on a developer’s personal machine that gave attackers full control over affected servers for the 17 days prior to its detection, a new version signing process was introduced. introduced. The idea: to minimize the trust placed in a given part of the Linux development infrastructure.
Earlier this year, cybersecurity research and consultancy firm Trail of Bits was commissioned by the Open Source Technology Improvement Fund (OSTIF) to analyze the vulnerabilities process – and analyze it, finding several key areas. where improvements are recommended.
However, the report is admittedly incomplete. âThe documentation provided to Trail of Bits was informative but outdated,â the researchers noted in the report’s introduction. âAn up-to-date and complete description of the process would make it easier to enforce compliance and identify weaknesses.
This, in turn, became one of the weaknesses identified in the report: âlack of documented key management policies and proceduresâ.
One of many low-severity issues noted in the findings, the report warns that a lack of “centralized, authoritative documentation defining policies and procedures for revocation, key generation or rotation, or other key management tasks. keys “means that” users and administrators are more likely to make serious mistakes. “
The most serious problem noted, although it was only rated as medium on a scale from information at the bottom to the highest at the top, was that developers able to validate code directly into the Linux kernel repositories. were not required to use hardware security keys – making any breach of their personal systems, as in the 2011 attack, considerably more serious.
âAlice is a Linux kernel maintainer who stores private key material on a user-accessible block device,â the report explained as an example of how the problem could be exploited. âEve, an attacker, is able to install malware on Alice’s workstation.
Developers able to validate code directly into Linux kernel repositories were not required to use hardware security keys – making any breach of their personal systems, like in the 2011 attack, considerably more serious. .
âEve is able to exfiltrate the private key material from Alice’s workstation and might attempt to force passphrases or install a keylogger to record the passphrase entry. Eve could then create passphrases. valid signatures and authenticate with certain kernel.org services using the stolen key material. “
Even those who to have However, the hardware security devices adopted may not be fully protected. “The Linux Foundation recommends that kernel developers use smart cards, especially Nitrokeys, to secure their private key material,” the report said. âNitrokeys released by Linux Foundation do not require users to perform physical actions when using smart card functions.
âOther devices can be configured to require the user to touch the device before smart card operations occur. As a result, the Nitrokey is only protected by a passphrase when it is inserted into a workstation. “
Recommendations made in the report include: updating and improving documentation; impose the use of smart cards that require physical interaction in order to validate each transaction; developing and releasing tools to compare kernel versions with the content of a tagged version of GitHub to check for unauthorized changes; and adding a way to apply expected identity signatures on commits to key repositories.
Another key recommendation is to replace the currently static keys used to grant SSH access to kernel.org servers with finite-lived versions, as part of a formal key rotation schedule. âBecause SSH keys can often be used to access additional systems,â the report warned, âthey are frequently the target of attackers. In the current configuration, recovering a single developer’s SSH key could allow indefinite access to kernel.org resources. “
Infosec specialist Sean Wright said: âIt’s fantastic to see that this audit has been carried out. It helps to show maturity on the part of the Linux Foundation, âhe told us. “It is rare for an organization to obtain an irreproachable health check, that is to say no findings during an audit).
âThe power that some individuals have, in terms of the impact of the changes they make, certainly makes them lucrative targets for would-be criminals. The proposed recommendation aligns with this and helps to dramatically increase the complexity that an attacker would have to go through in order to gain this level of access. But, that said, even today the level of complexity is quite high and it would probably still take a very well-resourced criminal gang or nation-state group to be able to carry out a successful attack. “
Wright added, âIn light of the SolarWinds incident, we saw the potential dangers of an attacker having access to modify code and software. If an attacker were able to gain this level of access to some individual Linux Foundation team accounts, it would likely make SolarWinds look like a walk in the park. As with SolarWinds, we’ve also learned that not only code and changes to that code need to be protected; the construction process and systems require so much scrutiny. “
All the details of the report’s conclusions are available on the website OSTIF website. Â®