USENIX Association Proceedings of the FREENIX Track: 2004 USENIX Annual Technical Conference Boston, MA, USA June 27–July 2, 2004 © 2004 by The USENIX Association All Rights Reserved For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. The NetBSD Update System Alistair Crooks, The NetBSD Project 9th April 2004 Abstract driving force behind the use of pkgsrc or NetBSD - rather, this is a description of a facility which is This paper explains the needs for a binary patch and used in NetBSD and which can be used on any other update system, and explains the background and im- operating system to augment the standard facilities plementation of NetBSD-update, a binary update fa- which are in place. cility for NetBSD. The implementation is then anal- ysed, and some lessons drawn for others who may be interested in implementing their own binary up- Driving Forces for a Binary Patch and date system using the NetBSD pkgsrc tools, which Update System are available for many operating systems and envi- ronments already. It is now common to nd rewalls in large and small organisations, preventing malign access, and protect- ing the organisation from intrusion and other attacks. The NetBSD Binary Update Sys- It would not be prudent to have a C compiler in- tem stalled on such a machine - its use should be that of a gatekeeper, as a bouncer with an attitude, keep- Unix, Linux and the BSD operating systems have ing anything suspicious out, and not allowing anyone traditionally been distributed in source format, and who does manage to penetrate the defences to use users and administrators have had a long tradition any tools to break further into the infrastructure. of compiling utilities and applications from source. In addition to these instances, it is very unusual to Over time, however, vendors have moved towards a nd users (as opposed to administrators, or people binary-only distribution mechanism, removing vari- who work in the industry) who would know what ous parts of the system in the process, such as the C to do with a source distribution. Email to various compiler, and other necessary tools. It is only over mailing lists proves this point - to the majority of the last decade that the rise of Linux and the BSD users out there, the computer is a tool, not a thing operating systems have placed the emphasis back on of beauty. source code, and even then, most versions of the op- It is also common to nd vulnerabilities in oper- erating systems are installed from a binary distribu- ating systems, libraries, and utilities which have al- tion. ready been deployed. To ll such holes, a patching This paper describes the NetBSD update sys- system needs to be used - the vulnerable code is re- tem, which has been implemented on and for the placed by code which is not vulnerable. This must NetBSD operating system http://www.netbsd.org/ be done by means of updating the binaries. using the packaging tools from the NetBSD Packages Embedded systems must also be examined in light Collection (pkgsrc) http://www.pkgsrc.org/. of the vulnerabilities found in MTAs, network time Other vendors and operating systems have binary servers, IP ltering software, operating system soft- update facilities in place - their existence is not the ware, and anything else which is included as part of 1 the embedded system, and which can be used to facil- The RedHat network http://www.redhat.com/ itate an attack on an organisation or individual - the provides a commercial service for RedHat Linux sys- whole infrastructure is only as strong as the weakest tems. link in the defences, and one breach renders the rest Sun Microsystems http://www.sun.com/ provides of those defences useless. a number of binary updates via its SunSolve facility It is not feasible to expect that all the vulnera- for its Solaris operating environment. bilities can be found and protected ahead of time - The NetBSD Packages Collection http://www. new ones are being found every day - and so there pkgsrc.org/ has an audit-packages package which must be a mechanism available by which new bina- is used to notify the user when packages which are ries can be used to overwrite vulnerable ones. This installed on the host system have been found to have paper examines all the issues involved in the design security exploits or vulnerabilities. A central list and deployment of such a system. is maintained by the security-ocer and other de- It can take some time for an advisory to be re- velopers, and stored on one of the NetBSD project ceived, investigated, researched, xed, and then pub- servers. The user is encouraged to run the download- licised - the binary update facility can be viewed as a vulnerability-list as part of the periodical jobs on more reliable form of communication of the exploit or a host system by means of the crontab(8) facility. vulnerability than reading the Bugtraq or Full Dis- This script will download the list of vulnerabilities closure mailing lists. from the central server. Output from the download- Some vendors wish users and administrators to pay vulnerability-list script looks is reproduced in the for the added service which a binary update facility Figure download-vulnerability-le output. provides. Whilst the NetBSD binary update system A separate script, called audit-packages simply is not intended to prevent vendors charging for this runs through each of the entries in the list of vulnera- service, some people are unhappy and unwilling to bilities, and checks against each of the vulnerabilities pay for a binary update system. for an installed package on the system with a version number that is vulnerable. If there is, then a warning Related Systems message will be printed, with relevant information, as shown in Figure audit-packages. The one immediate piece of software to which The vulnerabilities le is split into 3 columns. Each everyone refers when talking about binary up- line of the le describes a new vulnerability. Com- dates is the Windows Update Facility http://v4. ments start with the '#' character. The rst column windowsupdate.microsoft.com/en/default.asp. is the vulnerable package versions; the second column It has three separate facilities - update check (for is the type of vulnerability, and the nal column is a new upgrades), update download, and update instal- URL related to the vulnerability. lation, and Windows XP computers can be set to Some typical entries from the vulnerabilities list perform the check, the check and download, and all are shown in the Figure pkg-vulnerabilities le. three parts automatically. Windows Update is based The audit-packages package works very eectively around a web front end - all the used has to do is to in practice, having ironed out a few loose ends in its specify (the rst time Windows Update is run) how implementation. From the start, the vulnerability list they would like their system to check for updates - has been advertised that it will only grow - old vul- and everything is very easy from an end-user point nerabilities will be retained just in case. This has of view. proved dicult to implement - occasionally URLs will Debian Linux http://security.debian.org/ has be found to be out of date, or better ones identied. a security update feature which uses its apt system Once a user with a shorter username xed two trans- to provide binary patches for Debian Linux systems. posed characters in a comment, thereby causing the The FreeBSD project http://www.freebsd. size of the vulnerabilities list to decrease. In time, org/are working on their own binary update system. it was found better to have an embedded SHA1 di- 2 gest, which is used to ascertain correct tranmission The author has some experience with the pack- of the vulnerabilities list, and that no truncation has aging tools as used in the NetBSD packages collec- occurred in transit, as well as ensuring that the le tion, and certain facilities used in these tools would has not been modied in any way. be needed in the binary update facility itself. Using NetBSD also has ne-grained system packages, version numbers which could be compared rationally which can be used as an alternative to the traditional with each other, and using the tools themselves to BSD sets method of installing or upgrading systems. add, backup and delete les, directories and other System packages are usually made up of three sub- le system entries are essential in providing a useful packages: utility which does not try to do any more than it needs to do. • the binaries, Implementation of the NetBSD Update the manual pages, • System and any example or support les. • The implementation of the NetBSD update system is done as in the Windows and Debian updates - the The NetBSD Update System does not use any of the binary updates can be set to inform of new updates, facilities of system packages - on non-NetBSD sys- to inform and download, and to inform, download tems, it is likely that system packages would clash and install the updates automatically. with traditional methods of installing and updating The NetBSD packages collection tools are used systems, and so a separate mechanism was used to to perform the binary update work - these tools implement the NetBSD Update System.