[darcs-users] patch file naming

David Roundy droundy at abridgegame.org
Thu Mar 18 12:59:00 UTC 2004

On Thu, Mar 18, 2004 at 12:36:11AM +0000, Ganesh Sittampalam wrote:
> On Wed, 17 Mar 2004, Kevin Smith wrote:
> > Your problem case does concern me a bit, but doesn't put me in to a
> > panic. darcs should probably refuse to record two patches within the
> > same timestame frame (1 second, I believe). That still wouldn't prevent
> > all problems, but probably eliminate any accidental cases.
> I'm rather more worried by the possibility of someone maliciously causing
> trouble this way. I haven't actually managed to figure out an attack,
> though.

This sort of attack (creating a patch with same name as one by someone
else, but with different contents) is a subset of the more general set of
"corrupt repository" attacks, and not a particularly powerful one, simply
because darcs doesn't download patches that it already has.  So an
attacker would need to get his corrupted version of a patch into a
repository that doesn't yet have the original, and if the attacker is able
to someone to accept a corrupted patch, they may as well make it a unique
patch (presumably containing a back door or bug).

That's not quite true.  A sufficiently clever attacker could take a patch
from one developer and modify it slightly (say removing a few lines from
the patch) and convince another developer to apply it, such that when the
second developer then applies a second patch from the first developer, a
security hole is introduced, because the change in the first patch offset
the file just right so the second patch applied cleanly to a different part
of the file than it was intended for.

Or, I guess the attacker could send two differing patches with the same
name to two developers... that would be a much easier attack to pull off.
The two could even do the same thing, but with a larger comment in one of
them.  That would be very annoying, and could be used in the same way as
the last paragraph to introduce a hole by changing where a second patch by
one of the developers gets applied in the other developer's repo.  :(

In the absense of corrupt patches, darcs is resistant to this sort of
attack (in contrast to arch, in which all it takes is a reordering attack,
in which a developer is convinced to apply two patches out of order), but
this is disturbing to consider.  :( I guess the social solution to this
problem is that when accepting patches from untrusted sources, only one
(trusted) person should accept the patch, and others should take it from
that person.  Another thing that could help alleviate this problem would be
storing hashes at tags and/or checkpoints.  A tag (and a checkpoint is just
a stored version at a tag) *does* have a canonical representation, so if we
store the hash of that, at least the corrupt repo attack can be readily
caught once a tag is made.
David Roundy

More information about the darcs-users mailing list