Hello,
the ABRT team got an request to replace uploading of core dumps to the retrace server by providing a fuse-like share with debuginfos [1].
It would be really nice if the security experts could comment on this.
Thank you for considering my request.
Kind regards, Jakub Filak
On Wed, 2014-08-13 at 08:27 -0400, Jakub Filak wrote:
Hello,
the ABRT team got an request to replace uploading of core dumps to the retrace server by providing a fuse-like share with debuginfos [1]. It would be really nice if the security experts could comment on this.
I believe that this is primarily a legal compliance, and privacy issue than simply a security issue (and that applies to the core dump sending as well). The concern there, has the user ever agreed to provide that information? Can a user explicitly remove that information that concern him (I believe both are requirements under EU directives).
As for an opinion for the security of this scheme, I don't believe that you provided an details of its design. The minimum requirements should be, that information is communicated securely over the wire, so that only Fedora project can access the data, and that data must be stored in a way that they cannot be used by a third party who stole that information (e.g. take them offline as soon as possible, or encrypt them with an HSM that cannot decrypt, or gpg and a public key - i.e., decryption can only be done offline). As I see, unless we have a good reason to keep that information, it is mostly a burden to have them (consider the PR disaster if that gets stolen).
regards, Nikos
----- Original Message -----
the ABRT team got an request to replace uploading of core dumps to the retrace server by providing a fuse-like share with debuginfos [1].
It would be really nice if the security experts could comment on this.
Not uploading users’ data we don’t need and never use would be a nice security improvement.
The flip side is that the “fuse-like share client” is an attack vector, so the way these files are distributed should be protected (signed, verified etc.) as well as packages in the repositories are.
(Non-security questions: 1) What does this do to the latency of the core dump generation (i.e. is it more data to upload the coredump, or download the debuginfo?), and the likelihood we will collect backtraces? 2) If we are talking about an integrity-verified method of delivering data to the users’ machine, why not just download and install debuginfos from the existing repos? This might require changing their packaging, perhaps to split ELF debug info and sources, but that’s very likely not as much work as writing a different—essentially—packaging mechanism from scratch. 3) Do you actually need all the complexity of fuse, or just a layer of indirection within gdb?) Mirek
security@lists.fedoraproject.org
-
Jakub Filak -
Miloslav Trmač -
Nikos Mavrogiannopoulos