[ubuntu-hardened] Chicken or egg: Ubuntu Startup Disk Creator

Alex Murray alex.murray at canonical.com
Sun Dec 9 23:25:34 UTC 2018 

Hi Jason

On Sat, 2018-12-08 at 23:15:10 +1030, Jason Franklin wrote:

> Greetings,
>
> This is a thought I had today.  I'd like some help working 
> through it from some security mavens.
>
> Let's say I'm about to re-install Ubuntu on my ThinkPad.  I have 
> my ISO, and I validate it in the usual manner with the proper 
> GPG key and checksums.  I can be fairly confident that the ISO 
> is valid at this point.
>
> I then create the bootable USB drive with any of a number of 
> tools.  My question is: How can I know that this last step was 
> not subverted in some way?  Once the ISO is written to the USB, 
> does it need to be validated again?  What if the tools to write 
> the ISO were modified to write a modified ISO? I have no real 
> evidence that my system was compromised (no pop-up windows or 
> weird emails coming from my machine, performance problems, 
> etc.), but I suppose it could be.

This is a great question - are you familiar with Ken Thompson's 
"Reflections on Trusting Trust" paper[1] - this is a seminal 
info-sec piece that basically makes a similar argument but from 
the point of view of source code and compilers - basically even if 
you have the source code and trust it, how do you know the 
compiler didn't do something nefarious - AND even if you have the 
source code for the compiler, you have to compile that with an 
existing compiler so how can you know that that is even trusted 
and doesn't go and backdoor the compiler you are compiling?

So basically you can only completely trust what you wrote entirely 
yourself, including the compiler :)

However, things are not actually that bad - for compilers are 
least David Wheeler demonstrated techniques[2] that can be used to 
gain trust in what you have compiled.

In the case of installing a new operating system, if as you 
suggest the existing installation is compromised AND you use that 
to prepare the installation media for your new install, it could 
then backdoor the new ISO on the way (plus it could even be 
altering the GPG key / checksum before you verify to make it look 
valid when it is not etc).

If you are really paranoid, you could get around this by obtaining 
a LiveCD from some other means - then within that trusted LiveCD 
environment, downloading the Ubuntu ISO and creating your live USB 
from within that LiveCD environment.

But then you just need a way to get this more trusted LiveCD - one 
idea I can think of is if you are willing to trust Linux 
Magazine[3] you could use the DVD they distribute with each issue 
as a trusted basis (assuming Linux Magazine is not backdoored...) 
- which I think you can still buy in stores or you can even order 
it to be mailed to you.

Once-upon-a-time Canonical used to sell live USBs of Ubuntu but 
sadly that has been discontinued.

>
> If my account was compromised, I would assume that whatever 
> malware is running could monitor my keystrokes in my GNOME 
> session and observe me enter the "sudo" password probably 
> multiple times.
>
> Just some thoughts I had today.  How can I possibly have an 
> "ultimately trusted" install disk?

This is a hard problem if you are truly paranoid, however perhaps 
the above might be useful.


>
> Thanks in advance,
> Jason Franklin

Thanks for the great discussion topic :)

Cheers
Alex


[1] 
https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
[2] https://dwheeler.com/trusting-trust/wheelerd-trust.pdf 
[3] 
http://www.sparkhaus-shop.com/row/eh30218.html?SID=c8ir4l7cspuh74rch4pp4e61c1&utm_campaign=LMICurrent+Issue&utm_content=CurrentIssueBox&utm_medium=Link&utm_source=LMI

-- 
Alex Murray
https://launchpad.net/~alexmurray

More information about the ubuntu-hardened mailing list