[aur-general] aursec - blockchain-based verification of AUR packages

Bennett Piater bennett at piater.name
Thu Apr 13 12:13:11 UTC 2017


Hello,
we are pleased to announce the release of aursec [0], a tool which aims
to improve the security of using the AUR.
We are writing it as part of our Bachelor's thesis.

It provides a secure hash database in a private Ethereum blockchain that
stores hashes for specific package versions.
The hash that was submitted from the most different users becomes the
consensus and can be queried and compared against.

The hash is formed from the PKGBUILD, install files and VCS sources,
thereby adding a layer of verification on top of that provided by the
hashes in the PKGBUILD.
The threat model [1] we defend against is targeted attacks against
specific AUR users, e.g. using a hostile takeover and subsequent
modification of an orphan package, that would be reverted and therefore
likely not noticed.
If the target used aursec, he would see that his package has a different
hash from what other users got.

Aursec takes a build folder containing a PKGBUILD and .SRCINFO and does
all the work automatically.
It calls makepkg --verifysrc in a firejail sandbox to download VCS
sources and find out the current version.

Example use:

    $aursec ~/aur/foo
    $find -type d ~/aur | aursec

We would greatly appreciate feedback on the threat model, solution, and
the usability of the tool itself.

Cheers,
Bennett Piater and
Lukas Krismer

[0]: https://aur.archlinux.org/packages/aursec
[1]:
https://vps1.piater.name/file-sharing/r/_q35eP3Y89#wqDp8+hB9C22GdKrH4nD/HP1CP3NfKQm0V1YuZih+28=

-- 
GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20170413/39a6dc2d/attachment.asc>


More information about the aur-general mailing list