ccache

Possible vulnerability induced by the use of MD4?

View: New views
2 Messages — Rating Filter:   Alert me  

Possible vulnerability induced by the use of MD4?

by Raphaël Marinier :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello,

I was wondering why ccache uses MD4 (which is cryptographically
insecure) to decide whether a file should be recompiled.

It seems that an attacker could take advantage of that to introduce a
vulnerability in the binaries of a software compiled using ccache.
Namely, an attacker could do the following:
- find two source files A and B such that:
   * the MD4 hashes of A and B are the same (published attacks to MD4
don't allow to do that directly, but since MD4 is deeply broken, it is
reasonable to think that it is possible)
   * A introduces a vulnerability in the software, whereas B seems
secure (and looks like A)
- make sure A is committed in the repository of the software, and make
sure those who distribute the binaries compile the software with
ccache
- replace A by B, apparently correcting the vulnerability. Now, when
people recompile the software using ccache, the vulnerable source is
not recompiled and may be distributed... (Thus the vulnerability in
the software is corrected, whereas it is still present in the
binaries).

Any thoughts?

--
Raphaël M.
_______________________________________________
ccache mailing list
ccache@...
https://lists.samba.org/mailman/listinfo/ccache

Parent Message unknown Re: Possible vulnerability induced by the use of MD4?

by Raphaël Marinier :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

2009/7/22 Martin Pool <mbp@...>:
> 2009/7/22 Raphaël Marinier <raphael.marinier@...>:
>> Hello,
>>
>> I was wondering why ccache uses MD4 (which is cryptographically
>> insecure) to decide whether a file should be recompiled.
>
> Because it's much faster than sha256.

Has the impact of the slowness of sha256 compared to MD4 been measured
in ccache?
We can hash with sha256 at more than 100MB/s on a typical computer
(see http://www.cryptopp.com/benchmarks.html for instance).
Isn't that fast enough for ccache? (I'm no expert in ccache)

>> It seems that an attacker could take advantage of that to introduce a
>> vulnerability in the binaries of a software compiled using ccache.
>> Namely, an attacker could do the following:
>> - find two source files A and B such that:
>>   * the MD4 hashes of A and B are the same (published attacks to MD4
>> don't allow to do that directly, but since MD4 is deeply broken, it is
>> reasonable to think that it is possible)
>
> Note that they actually have to find two source files A and B such
> that {the result of preprocessing them on the build system, plus the
> command line options, plus the size and modification time of the
> compiler binary, plus the stderr from the preprocessor} will have the
> same hash.  That may be harder.  At least it depends on knowing
> precisely what build environment will be use, and knowing that no
> relevant headers will change between the two stages.

Yes, it is of course not very easy, and overall, the attack is very
contrived as you said. (but still, MD4 is broken, so we shouldn't rely
on its security).

--
Raphaël
_______________________________________________
ccache mailing list
ccache@...
https://lists.samba.org/mailman/listinfo/ccache
Free embeddable forum powered by Nabble Forum Help