Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Updater Proposal
From: alexandru <alex () hackd net>
Date: Mon, 16 May 2011 18:08:49 -0700


On 2011-05-15, at 5:28 PM, Colin L. Rice wrote:

Hello Everyone,

I'm Colin on of the new GSOC students. As part of my task I want to
implement a auto-updater for nmap. However before I write it I need to
figure out how to implement it and how limited it is.

So I have been researching this and would like to present a couple of
options for discussion.

We first have two choices
1) Write an updater which only touches the platform independant files
such as the lua and NSE libraries as well as nmap-service-probes,
nmap-services, nmap-os-db. This could be used not only to update old
versions of nmap but also to update users to the latest scripts,
services, and os probes without updating the entire nmap library and
allowing new changes to be distributed quickly.
2) Write an updater which updates everything. This simplifies worrying
about whether the scripts will work with the current version but you do
have to make sure you are getting the correct binary.

Once you have made those choices you have to decide how you wish to
insure download integrity. There are again a couple of options.
1) Use a framework such as TUF which is set up to basically handle
hostile attack gracefully and can deal with everything from compromised
keys, hostile mirrors, and man in the middle attacks.
https://www.updateframework.com/browser/specs/tuf-spec.txt

2) Use a simpler system which is wrapped around bsdiff or courgette
where all that is maintained is that the patches are signed by the
correct source, that the patches are newer than the current version, and
that there has been no corruption during transmission.

After talking with my mentor it sounds like the best idea is to write a
updater which is separate from nmap and uses TUF as a framework.
Additionally we should just update everything in order to avoid lots of
very different bugs arousing from the binaries not being updated. One
potential issue is I have not found a way to get TUF to pull different
binaries depending on the platform. It may be built in and I haven't
spotted it or I could modify TUF in order to accommodate that.

I gave the TUF spec a cursory read, but it seems to me like each platform release should have its own repository (in 
TUF terminology[0]), and thus its own root keys etc. I think it would ultimately be the job of the platform package 
maintainer to handle/update this information whenever they package up new releases.

[0]: https://www.updateframework.com/browser/specs/tuf-spec.txt#L308 


Any Thoughts?
-Colin Rice



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
ατ

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]