reproducible builds in debian and everywhere - doc… system /linux/debian/2015-07-06... ·...

132
Reproducible builds in Debian and everywhere Lunar [email protected] Libre Software Meeting 2015-06-07 Lunar (Debian) Reproducible builds LSM2015 1 / 126

Upload: vominh

Post on 17-Sep-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

Reproducible builds in Debian andeverywhere

[email protected]

Libre Software Meeting2015-06-07

Lunar (Debian) Reproducible builds LSM2015 1 / 126

What?

Lunar (Debian) Reproducible builds LSM2015 2 / 126

What are reproducible builds?

“reproducible builds”enable anyone to reproduceidentical binary packages

from a given source

Lunar (Debian) Reproducible builds LSM2015 3 / 126

Trusting a build?

source binarybuild

free softwarefreedomto study

freedomto run

can be verified can be used

could I get a proof?

Lunar (Debian) Reproducible builds LSM2015 4 / 126

Trusting a build?

source binarybuild

free softwarefreedomto study

freedomto run

can be verified can be used

could I get a proof?

Lunar (Debian) Reproducible builds LSM2015 4 / 126

Trusting a build?

source binarybuild

free softwarefreedomto study

freedomto run

can be verified can be used

could I get a proof?

Lunar (Debian) Reproducible builds LSM2015 4 / 126

Trusting a build?

source binarybuild

free softwarefreedomto study

freedomto run

can be verified can be used

could I get a proof?

Lunar (Debian) Reproducible builds LSM2015 4 / 126

Why?

Lunar (Debian) Reproducible builds LSM2015 5 / 126

Why?

Reproducible builds allow for independent verificationsthat a binary matches what the source intended to produce.

… and other nice things.

Lunar (Debian) Reproducible builds LSM2015 6 / 126

But I’m the developer!

“I know what’s in the binary because I compiled it myself!”

“I’m an upstanding, careful, and responsible individual!”

“Why should I have to worry about hypothetical risks aboutthe contents of my binaries?”

Lunar (Debian) Reproducible builds LSM2015 7 / 126

No kiddingAt a CIA conference in 2012:

Source : The Intercept, 2015-03-10

Lunar (Debian) Reproducible builds LSM2015 8 / 126

Unpleasant thoughts

We think of software development as a fundamentallybenign activity.

I “I’m not that interesting.”

Users can be targeted through developersKnown successful attacks against infrastructure usedby Linux (2003), FreeBSD (2013)

Lunar (Debian) Reproducible builds LSM2015 9 / 126

Strong motivations

Compromise one computer to get:I Hundreds of millions of other computers?I Every bank account in the world?I Every Windows computer in the world?I Every Linux server in the world?

Compromise one computer is worth:I $100k USD? (Market price of remote 0day)I $100M USD? (Censorship budget of Iran per year)I $4B USD? (Bitcoin market cap)

Lunar (Debian) Reproducible builds LSM2015 10 / 126

How small can a backdoor be?

OpenSSH 3.0.2 (CVE-2002-0083) – exploitable securitybug (privilege escalation: user can get root)

{Channel *c;

- if (id < 0 || id > channels_alloc) {+ if (id < 0 || id >= channels_alloc) {

log("channel_lookup: %d: bad id", id);return;

}

Lunar (Debian) Reproducible builds LSM2015 11 / 126

Result of fixing the bug (asm)

cmpl $0x0,0x8(%ebp) cmpl $0x0,0x8(%ebp)js 16 js 16mov 0x4,%eax mov 0x4,%eaxcmp %eax,0x8(%ebp) cmp %eax,0x8(%ebp)jle 30 jl 30mov 0x8(%ebp),%eax mov 0x8(%ebp),%eaxmov %eax,0x4(%esp) mov %eax,0x4(%esp)movl $0x4c,(%esp) movl $0x4c,(%esp)call 25 call 25

Lunar (Debian) Reproducible builds LSM2015 12 / 126

Result of fixing the bug (asm)

cmpl $0x0,0x8(%ebp) cmpl $0x0,0x8(%ebp)js 16 js 16mov 0x4,%eax mov 0x4,%eaxcmp %eax,0x8(%ebp) cmp %eax,0x8(%ebp)jle 30 jl 30mov 0x8(%ebp),%eax mov 0x8(%ebp),%eaxmov %eax,0x4(%esp) mov %eax,0x4(%esp)movl $0x4c,(%esp) movl $0x4c,(%esp)call 25 call 25

Lunar (Debian) Reproducible builds LSM2015 12 / 126

Resulting difference in the binaryWhat’s the difference between if (a > b)and if (a >= b) in x86 assembly?

assembly: JLE JLopcode: 0x7E 0x7Cbinary: 01111110 01111100

A single bit!

Other corresponding opcode pairs also differ by just a singlebit (JGE=0x7D, JG=0x7F)

Lunar (Debian) Reproducible builds LSM2015 13 / 126

Result of fixing the bug (hex)Vulnerable Fixed55 89 e5 83 ec28 83 7d 08 0078 0a a1 04 0000 00 39 45 087e 1a 8b 45 0889 44 24 04 c704 24 4c 00 0000 e8 fc ff ffff b8 00 00 0000 eb 35

55 89 e5 83 ec28 83 7d 08 0078 0a a1 04 0000 00 39 45 087c 1a 8b 45 0889 44 24 04 c704 24 4c 00 0000 e8 fc ff ffff b8 00 00 0000 eb 35

Overall file size: approx. 500 kBLunar (Debian) Reproducible builds LSM2015 14 / 126

Result of fixing the bug (hex)Vulnerable Fixed55 89 e5 83 ec28 83 7d 08 0078 0a a1 04 0000 00 39 45 087e 1a 8b 45 0889 44 24 04 c704 24 4c 00 0000 e8 fc ff ffff b8 00 00 0000 eb 35

55 89 e5 83 ec28 83 7d 08 0078 0a a1 04 0000 00 39 45 087c 1a 8b 45 0889 44 24 04 c704 24 4c 00 0000 e8 fc ff ffff b8 00 00 0000 eb 35

Overall file size: approx. 500 kBLunar (Debian) Reproducible builds LSM2015 14 / 126

My first

Lunar (Debian) Reproducible builds LSM2015 15 / 126

Not the first

Bitcoin’s motivation:

Malicious modifications to binaries could result inirrevocable unwanted transfers of bitcoinsIndividual developers could be blamed for suchmodificationsUsers might not believe that a developer’s machinewas hackedReproducible builds therefore protect developers

Lunar (Debian) Reproducible builds LSM2015 16 / 126

And nothing new, even

From: Martin Uecker <[email protected]>Cc: [email protected]: Sun, 23 Sep 2007 23:32:59 +0200

I think it would be really cool if the Debian policy requiredthat packages could be rebuild bit-identical from source. Atthe moment, it is impossible to independly verify theintegricity of binary packages.

https://lists.debian.org/debian-devel/2007/09/msg00746.html

Lunar (Debian) Reproducible builds LSM2015 17 / 126

Why Debian?

Debian is the largest collection of free softwareMore than 21,000 source packages“Our priorities are our users and free software”

Lunar (Debian) Reproducible builds LSM2015 18 / 126

How?

Lunar (Debian) Reproducible builds LSM2015 19 / 126

How to achieve reproducibility?

Determine the build environmentReproduce the build environmentEliminate unneeded variations

Lunar (Debian) Reproducible builds LSM2015 20 / 126

How toHandle the build environment

Lunar (Debian) Reproducible builds LSM2015 21 / 126

Solution 1: rebuild the environment

Scripts will rebuild the environment from sourcesURL and checksum of source tarballs are recorded… or go crazy and check-in everything in the VCS

Approach used by Coreboot, OpenWrt, Bazel

Lunar (Debian) Reproducible builds LSM2015 22 / 126

Solution 1: rebuild the environment

Bonus: changes in the toolchain can be reviewed, merged,bisected, etc. just like other changes in the code.

Lunar (Debian) Reproducible builds LSM2015 23 / 126

Solution 2: system images and packages

Use a virtual machine or containerBase install of a common distributionFollow-up installation script

Tools: Gitian (Bitcoin, Tor Browser), rbm (Tor Messenger)

Lunar (Debian) Reproducible builds LSM2015 24 / 126

Solution 2: system images and packages

Downsides: if you use packages, you need to stick to stabledistributions and hope no security fixes will affect the build.Or you do mix it with solution 1.

Lunar (Debian) Reproducible builds LSM2015 25 / 126

Solution 3: record and replay

In Debian, a new control file *.buildinfo will record:

Versions of build dependenciesI … and their dependencies

Checksum of the source package.Checksums of the binary packages.

Lunar (Debian) Reproducible builds LSM2015 26 / 126

Example .buildinfo

Format: 1.9Build-Architecture: amd64Source: txtorconBinary: python-txtorconArchitecture: allVersion: 0.11.0-1Build-Path: /usr/src/debian/txtorcon-0.11.0-1Checksums-Sha256:a26549d9…7b 125910 python-txtorcon_0.11.0-1_all.deb28f6bcbe…69 2039 txtorcon_0.11.0-1.dsc

Build-Environment:base-files (= 8),base-passwd (= 3.5.37),bash (= 4.3-11+b1),…

Lunar (Debian) Reproducible builds LSM2015 27 / 126

snapshot.debian.org

snapshot.debian.org archives every state of theDebian archive.2015-05-25: 29 terabytes of data in 17 million files.

Lunar (Debian) Reproducible builds LSM2015 28 / 126

srebuild

Thin wrapper around sbuildDetermines the base releaseInstalls packages listed in the *.buildinfo fileStarts the build

Status: proof-of-concept in #774415

Lunar (Debian) Reproducible builds LSM2015 29 / 126

How toEliminate unneeded variations

Lunar (Debian) Reproducible builds LSM2015 30 / 126

General approach

Gitian (Bitcoin, Tor Browser):I Use a VM: same kernel, same user, same build path, …I libfaketime

Debian:I Fix the toolsI Fix the build systemsI Work-arounds as last resort

Lunar (Debian) Reproducible builds LSM2015 31 / 126

Investigating packages

diffOpenSUSE build-comparedebbindiff

Lunar (Debian) Reproducible builds LSM2015 32 / 126

debbindiff

Examines differences in depthOutputs HTML or plain text showing the differencesRecursively unpack archivesSeeks human readability:

I uncompress PDFI disassemble binaries,I unpack Gettext files,I … easy to extend to new file formats

Falls back to binary comparison

Lunar (Debian) Reproducible builds LSM2015 33 / 126

Test(and test again)

Lunar (Debian) Reproducible builds LSM2015 34 / 126

Finding variations

Build the packageRebuild the packageCompare the results

Lunar (Debian) Reproducible builds LSM2015 35 / 126

reproducible.debian.net

Continuous test system driven by JenkinsBad ass hardware sponsored by ProfitBricksTests about 1300 source packages each day on averageResults are visible on a websiteRecent additions: Coreboot and OpenWrt

Lunar (Debian) Reproducible builds LSM2015 36 / 126

Variations for Debian packages

The second build differs by:

timetimezonefile orderingprocess orderingcores used for the build

Lunar (Debian) Reproducible builds LSM2015 37 / 126

Variations for Debian packages

hostname, domainnameusername, uid, gidumasklanguage (LANG) and locale (LC_ALL)kernel version (using linux64 --uname-2.6)PATH

Lunar (Debian) Reproducible builds LSM2015 38 / 126

Still the same for now

date (but we cheat with timezone)/proc/cpuinforebuilds on different filesystems (currently tmpfs only)

Are we forgetting something?

Lunar (Debian) Reproducible builds LSM2015 39 / 126

Findings

Lunar (Debian) Reproducible builds LSM2015 40 / 126

Identified issues

Timestamps (recording current time)File order(Pseudo-)randomness:

I Temporary file pathsI UUIDI Protection against complexity attacks

Lunar (Debian) Reproducible builds LSM2015 41 / 126

Identified issues (cont.)

CPU and memory related:I Code optimizations for current CPU classI Recording of memory addresses

Build-pathOthers, eg. locale settings

Lunar (Debian) Reproducible builds LSM2015 42 / 126

Identified issues (cont.)

ExamplesTimestamps added by build systems

Lunar (Debian) Reproducible builds LSM2015 43 / 126

Timestamps in gzip headers

Lunar (Debian) Reproducible builds LSM2015 44 / 126

Timestamps written by Maven

Lunar (Debian) Reproducible builds LSM2015 45 / 126

Timestamps in generated Makefiles

Lunar (Debian) Reproducible builds LSM2015 46 / 126

Timestamps in header files

Lunar (Debian) Reproducible builds LSM2015 47 / 126

Timestamps written by PyQt4

Lunar (Debian) Reproducible builds LSM2015 48 / 126

Timestamps written by Erlang compiler

Lunar (Debian) Reproducible builds LSM2015 49 / 126

Timestamps in PE binariesWindows, UEFI, Mono…

Lunar (Debian) Reproducible builds LSM2015 50 / 126

Timestamps in ADA library information

Lunar (Debian) Reproducible builds LSM2015 51 / 126

Timestamps in Ruby gemspec files

Lunar (Debian) Reproducible builds LSM2015 52 / 126

Timestamps in PHP registry

Lunar (Debian) Reproducible builds LSM2015 53 / 126

Timestamps by a template engine

Lunar (Debian) Reproducible builds LSM2015 54 / 126

Timestamps in Python version

Lunar (Debian) Reproducible builds LSM2015 55 / 126

Identified issues (cont.)

ExamplesArchives

Lunar (Debian) Reproducible builds LSM2015 56 / 126

Timestamps in static libraries

Lunar (Debian) Reproducible builds LSM2015 57 / 126

Timestamps in static libraries (cont.)

Lunar (Debian) Reproducible builds LSM2015 58 / 126

Timestamps in ZIP archives

Lunar (Debian) Reproducible builds LSM2015 59 / 126

Timestamps in Java jar

They are actually ZIP archives.

Lunar (Debian) Reproducible builds LSM2015 60 / 126

Timestamps in tarballs

Lunar (Debian) Reproducible builds LSM2015 61 / 126

Users and groups in tarballs

Lunar (Debian) Reproducible builds LSM2015 62 / 126

Random order in tarballs

Lunar (Debian) Reproducible builds LSM2015 63 / 126

Identified issues (cont.)

ExamplesTimestamps in documentation

Lunar (Debian) Reproducible builds LSM2015 64 / 126

Timestamps written by Doxygen

Lunar (Debian) Reproducible builds LSM2015 65 / 126

Timestamps written by docbook-to-man

Lunar (Debian) Reproducible builds LSM2015 66 / 126

Timestamps written by Groovydoc

Lunar (Debian) Reproducible builds LSM2015 67 / 126

Timestamps written by Epydoc

Lunar (Debian) Reproducible builds LSM2015 68 / 126

Timestamps written by Sphinx

Lunar (Debian) Reproducible builds LSM2015 69 / 126

Timestamps written by Ghostscript

Lunar (Debian) Reproducible builds LSM2015 70 / 126

Timestamps written by LaTeX

Lunar (Debian) Reproducible builds LSM2015 71 / 126

Timestamps written by texi2html

Lunar (Debian) Reproducible builds LSM2015 72 / 126

Timestamps written by texi2html (cont.)

Lunar (Debian) Reproducible builds LSM2015 73 / 126

Timestamps written by help2man

Lunar (Debian) Reproducible builds LSM2015 74 / 126

Timestamps written by GNU groff

Lunar (Debian) Reproducible builds LSM2015 75 / 126

Timestamps written by Javadoc

Lunar (Debian) Reproducible builds LSM2015 76 / 126

Timestamps written by man2html

Lunar (Debian) Reproducible builds LSM2015 77 / 126

Timestamps in TeX output (.dvi)

Lunar (Debian) Reproducible builds LSM2015 78 / 126

Identified issues (cont.)

Examples“Compiled at/on/by”

Lunar (Debian) Reproducible builds LSM2015 79 / 126

Build time via C preprocessor macros

Lunar (Debian) Reproducible builds LSM2015 80 / 126

Build time via C preprocessor macros

Lunar (Debian) Reproducible builds LSM2015 81 / 126

Build time recorded via Makefile

Lunar (Debian) Reproducible builds LSM2015 82 / 126

Hostname recorded via ./configure

Lunar (Debian) Reproducible builds LSM2015 83 / 126

Build time recorded via ./configure

Lunar (Debian) Reproducible builds LSM2015 84 / 126

m4 macros for autoconf (build time)

Lunar (Debian) Reproducible builds LSM2015 85 / 126

m4 macros for autoconf (username)

Lunar (Debian) Reproducible builds LSM2015 86 / 126

m4 macros for autoconf (hostname)

Lunar (Debian) Reproducible builds LSM2015 87 / 126

Recorded kernel version

Lunar (Debian) Reproducible builds LSM2015 88 / 126

Bonus points for programmers

Lunar (Debian) Reproducible builds LSM2015 89 / 126

Identified issues (cont.)

ExamplesFile ordering

Lunar (Debian) Reproducible builds LSM2015 90 / 126

File ordering in python-support files

Lunar (Debian) Reproducible builds LSM2015 91 / 126

Identified issues (cont.)

ExamplesRandomness

Lunar (Debian) Reproducible builds LSM2015 92 / 126

Random Perl hash orderSee Algorithmic complexity attacks in perlsec(1).

Lunar (Debian) Reproducible builds LSM2015 93 / 126

Random serial numbers in Ogg streams

Lunar (Debian) Reproducible builds LSM2015 94 / 126

Random import order in Python code

Lunar (Debian) Reproducible builds LSM2015 95 / 126

Random order in Python namespace files

Lunar (Debian) Reproducible builds LSM2015 96 / 126

Temporary filenames in Ocaml libraries

Lunar (Debian) Reproducible builds LSM2015 97 / 126

Identified issues (cont.)

ExamplesEven more timestamps!

Lunar (Debian) Reproducible builds LSM2015 98 / 126

Timestamp-dependent rebuilds

Lunar (Debian) Reproducible builds LSM2015 99 / 126

Timezone gets recorded

Lunar (Debian) Reproducible builds LSM2015 100 / 126

Timestamps in EPUB files

Lunar (Debian) Reproducible builds LSM2015 101 / 126

Timestamps in PNGEven images!

Lunar (Debian) Reproducible builds LSM2015 102 / 126

Timestamps in TrueType font filesAnd fonts!

Lunar (Debian) Reproducible builds LSM2015 103 / 126

You think those wereenough issues?

Lunar (Debian) Reproducible builds LSM2015 104 / 126

Default changes with locale

Lunar (Debian) Reproducible builds LSM2015 105 / 126

Not illustrated

Build path getting recordedEnvironment variables (e.g. PATH)File permissions inconsistencyCryptographic signaturesAnd even more…

Lunar (Debian) Reproducible builds LSM2015 106 / 126

Fixes

Lunar (Debian) Reproducible builds LSM2015 107 / 126

Fixing timestamps

Replace with a precise reference to the code:I Actual version numberI Git commit hash or other VCS reference

Or use a known date (latest modification on the code)Implement support for SOURCE_DATE_EPOCH

Lunar (Debian) Reproducible builds LSM2015 108 / 126

Fixing timezone related issues

Use UTC!

Lunar (Debian) Reproducible builds LSM2015 109 / 126

Fixing file order variations

Sort!

Be beware of the locale!

Lunar (Debian) Reproducible builds LSM2015 110 / 126

Example: creating tarballs

Before:I tar -cf archive.tar src

After:I find src -print0 | LC_ALL=C sort -z |

tar --null -T - --no-recursion -cf archive.tar

Lunar (Debian) Reproducible builds LSM2015 111 / 126

Fixing random key ordering

Sort!

for my $limit (sort keys(%{$pat})) {$Data::Dumper::Sortkeys = 1for key in sorted(d.keys()):

Lunar (Debian) Reproducible builds LSM2015 112 / 126

Fixing build path

Don’t record build path

Workaround: perform rebuild in the same path as theoriginal build

Lunar (Debian) Reproducible builds LSM2015 113 / 126

Handling cryptographic signatures

Make the signature part of your release process:

1 Do a first (reproducible) build2 Sign it3 Ship the signature with the source code4 Just copy the signature on next builds

Example patch: #725803

Lunar (Debian) Reproducible builds LSM2015 114 / 126

Misc. fixes

Don’t record kernel, CPU type, login…

No added valuePrivacy issue

Lunar (Debian) Reproducible builds LSM2015 115 / 126

Cleanup via post-processing

re-dzip.shpyc-timestamp.shstrip-nondeterminism

Lunar (Debian) Reproducible builds LSM2015 116 / 126

strip-nondeterminism

Normalize various file formatsCurrently handles:

I ar archives (.a)I gzipI Java jarI Javadoc HTMLI Maven pom.propertiesI PNGI ZIP archives

Written in Perl (like dpkg-dev)

Lunar (Debian) Reproducible builds LSM2015 117 / 126

How are we doing in Debian?

Lunar (Debian) Reproducible builds LSM2015 118 / 126

For those in the back

81%More than 18,000 source packages!

(in our test environment)

Lunar (Debian) Reproducible builds LSM2015 119 / 126

For those in the back

81%More than 18,000 source packages!

(in our test environment)

Lunar (Debian) Reproducible builds LSM2015 119 / 126

Still experimenting

It’s not yet possible to reproduce builds of officialDebian packagesWe are refining changes to the toolchain in anexperimental repositoryNext steps:

I Allow .buildinfo in the archive (#763822)I Get changes to dpkg mergedI Ship .buildinfo to the mirrorsI Finish the srebuild srcript (#774415)

Lunar (Debian) Reproducible builds LSM2015 120 / 126

Other distributions

Fedorahttp://securityblog.redhat.com/2013/09/18/reproducible-builds-for-fedora/OpenSUSE build-comparehttps://build.opensuse.org/package/show/openSUSE:Factory/build-compareNixOShttp://lists.science.uu.nl/pipermail/nix-dev/2013-June/011357.htmlFreeBSD https://wiki.freebsd.org/ReproducibleBuilds andhttps://wiki.freebsd.org/PortsReproducibleBuildsOpenWrt https://lists.openwrt.org/pipermail/openwrt-devel/2015-March/032136.html

Lunar (Debian) Reproducible builds LSM2015 121 / 126

Reproducible Fedora?

No known activity after the initial blog post.Fedora is leading developments for key components.Can we help reproducible Fedora?

Lunar (Debian) Reproducible builds LSM2015 122 / 126

Everywhere?

Please talk to us!

Lunar (Debian) Reproducible builds LSM2015 123 / 126

Everywhere!

Reproducible builds need to become the norm.We can help with continuous testing.Debian wiki wants to be useful to everyone.

Lunar (Debian) Reproducible builds LSM2015 124 / 126

ThanksAsheesh Laroia, Holger Levsen, Reiner Herrmann,Mattia Rizzolo, Daniel Kahn Gilmor, and so manyothers…Mike Perry and Seth Schoen for their 31C3 talkLinux Foundation for sponsoring Holger and myselfProfitBricks for sponsoring jenkins.debian.netGlobalsign for sponsoring X.509 certificatesDesigners of Tango iconsEveryone who helped!

Lunar (Debian) Reproducible builds LSM2015 125 / 126

Questions? Comments?

?https://wiki.debian.org/ReproducibleBuilds

https://reproducible.debian.net/#debian-reproducible on OFTC

Lunar 0603 CCFD 9186 5C17 E88D4C79 8382 C95C 2902 3DF9

Lunar (Debian) Reproducible builds LSM2015 126 / 126