[ubuntu-hardened] Chicken or egg: Ubuntu Startup Disk Creator
Alex Murray
alex.murray at canonical.com
Sun Dec 9 23:25:34 UTC 2018
Hi Jason
On Sat, 2018-12-08 at 23:15:10 +1030, Jason Franklin wrote:
> Greetings,
>
> This is a thought I had today. I'd like some help working
> through it from some security mavens.
>
> Let's say I'm about to re-install Ubuntu on my ThinkPad. I have
> my ISO, and I validate it in the usual manner with the proper
> GPG key and checksums. I can be fairly confident that the ISO
> is valid at this point.
>
> I then create the bootable USB drive with any of a number of
> tools. My question is: How can I know that this last step was
> not subverted in some way? Once the ISO is written to the USB,
> does it need to be validated again? What if the tools to write
> the ISO were modified to write a modified ISO? I have no real
> evidence that my system was compromised (no pop-up windows or
> weird emails coming from my machine, performance problems,
> etc.), but I suppose it could be.
This is a great question - are you familiar with Ken Thompson's
"Reflections on Trusting Trust" paper[1] - this is a seminal
info-sec piece that basically makes a similar argument but from
the point of view of source code and compilers - basically even if
you have the source code and trust it, how do you know the
compiler didn't do something nefarious - AND even if you have the
source code for the compiler, you have to compile that with an
existing compiler so how can you know that that is even trusted
and doesn't go and backdoor the compiler you are compiling?
So basically you can only completely trust what you wrote entirely
yourself, including the compiler :)
However, things are not actually that bad - for compilers are
least David Wheeler demonstrated techniques[2] that can be used to
gain trust in what you have compiled.
In the case of installing a new operating system, if as you
suggest the existing installation is compromised AND you use that
to prepare the installation media for your new install, it could
then backdoor the new ISO on the way (plus it could even be
altering the GPG key / checksum before you verify to make it look
valid when it is not etc).
If you are really paranoid, you could get around this by obtaining
a LiveCD from some other means - then within that trusted LiveCD
environment, downloading the Ubuntu ISO and creating your live USB
from within that LiveCD environment.
But then you just need a way to get this more trusted LiveCD - one
idea I can think of is if you are willing to trust Linux
Magazine[3] you could use the DVD they distribute with each issue
as a trusted basis (assuming Linux Magazine is not backdoored...)
- which I think you can still buy in stores or you can even order
it to be mailed to you.
Once-upon-a-time Canonical used to sell live USBs of Ubuntu but
sadly that has been discontinued.
>
> If my account was compromised, I would assume that whatever
> malware is running could monitor my keystrokes in my GNOME
> session and observe me enter the "sudo" password probably
> multiple times.
>
> Just some thoughts I had today. How can I possibly have an
> "ultimately trusted" install disk?
This is a hard problem if you are truly paranoid, however perhaps
the above might be useful.
>
> Thanks in advance,
> Jason Franklin
Thanks for the great discussion topic :)
Cheers
Alex
[1]
https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
[2] https://dwheeler.com/trusting-trust/wheelerd-trust.pdf
[3]
http://www.sparkhaus-shop.com/row/eh30218.html?SID=c8ir4l7cspuh74rch4pp4e61c1&utm_campaign=LMICurrent+Issue&utm_content=CurrentIssueBox&utm_medium=Link&utm_source=LMI
--
Alex Murray
https://launchpad.net/~alexmurray
More information about the ubuntu-hardened
mailing list