Secure Coding mailing list archives
Processes HAVE been discussed to counter source-control archive attacks
From: "David A. Wheeler" <dwheeler () ida org>
Date: Fri, 09 Jan 2004 20:06:46 +0000
Nick Lothian said:
2) WRT the Linux Kernel security breach, I think it would be very
interesting to see what processes other (close source) operating system
developers have in place to catch unauthorised modifications of code already
in their source-control archive. I've never seen any discussion or
recommendations for processes to combat that kind of problem, and I think
that most development shops would be caught out by something like that.
Actually, there HAVE been discussions on that very issue in the past.
E.G., in the early 1990s SDIO ("Star Wars") developed something called the
"Trusted Software Development Methodology (TSDM)" (later called the
"Trusted Software Methodology" (TMS), then heavily modified into
the "Trusted CMM", and then dropped). This is unrelated to the SSE-CMM.
The TSDM/TSM/TCMM was worried about countering inadvertent and malicious
code
being inserted into a program, possibly by the developers themselves.
It wasn't really a "method"; it was a set of requirements on the development
process, levelled from 0 to 5 (at level 5 you had extremely harsh
requirements).
Copies of this thing are very hard to find nowadays.
But here's the point: Its "Configuration Management Principle"
item (z) requires at level 3 and higher that:
"A mechanism or procedure that provides for comparison
of software versions shall be incorporated into the SCM process.
Comparisons shall be performed when a new version of an item under
configuration control is placed in the SDL to ensure
that only authorized modifications have been performed."
(SCM=Software Configuration Management;
SDL=Software Development Library)
[Source: Trusted Software Methodology (TSM) Report,
Appendix A: Trust Principles, by GE Aerospace (Blue Bell, PA).
CDRL A075, July 2, 1993.]
I believe the "Trusted CMM" had similar text.
This was back in the early 1990s. The notion of CM being important
long predates this, but even an explicit acknowledgement of this
as part of a larger secure development process has been around for a while.
Good news: as a result of the break-in into Savannah, the
Free Software Foundation (FSF) has offered funds to add to CVS
a way to digitally sign all changes, and is discussing this with the
developer of the "arch" CM system too. So there's hope in the
future for better counter-measures against CM system attacks.
--- David A. Wheeler
Current thread:
- Processes HAVE been discussed to counter source-control archive attacks David A. Wheeler (Jan 09)
- Re: Processes HAVE been discussed to counter source-control archive attacks Werner Koch (Jan 15)
- Re: Processes HAVE been discussed to counter source-control archive attacks Richard Moore (Jan 15)
- Re: Processes HAVE been discussed to counter source-control archive attacks George Capehart (Jan 15)
- Re: Processes HAVE been discussed to counter source-control archive attacks Werner Koch (Jan 15)