aursec - blockchain-based verification of AUR packages

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

aursec - blockchain-based verification of AUR packages

Bennett Piater
Hello,
we are pleased to announce the release of aursec [0], a tool which aims
to improve the security of using the AUR.
We are writing it as part of our Bachelor's thesis.

It provides a secure hash database in a private Ethereum blockchain that
stores hashes for specific package versions.
The hash that was submitted from the most different users becomes the
consensus and can be queried and compared against.

The hash is formed from the PKGBUILD, install files and VCS sources,
thereby adding a layer of verification on top of that provided by the
hashes in the PKGBUILD.
The threat model [1] we defend against is targeted attacks against
specific AUR users, e.g. using a hostile takeover and subsequent
modification of an orphan package, that would be reverted and therefore
likely not noticed.
If the target used aursec, he would see that his package has a different
hash from what other users got.

Aursec takes a build folder containing a PKGBUILD and .SRCINFO and does
all the work automatically.
It calls makepkg --verifysrc in a firejail sandbox to download VCS
sources and find out the current version.

Example use:

    $aursec ~/aur/foo
    $find -type d ~/aur | aursec

We would greatly appreciate feedback on the threat model, solution, and
the usability of the tool itself.

Cheers,
Bennett Piater and
Lukas Krismer

[0]: https://aur.archlinux.org/packages/aursec
[1]:
https://vps1.piater.name/file-sharing/r/_q35eP3Y89#wqDp8+hB9C22GdKrH4nD/HP1CP3NfKQm0V1YuZih+28=

--
GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808




signature.asc (565 bytes) Download Attachment