| 1 Jul 2021 |
 Roos | You can always ask the nix daemon to build a derivation for you, but since it's hashed, you cannot replace a legitimate derivation unless you also happen to find a sha256 collision. | 11:21:41 |
 balsoft | Another slight issue is if you have a sufficiently controlled and influential nondeterminism source in your dependency tree, another kind of attack is possible | 11:22:27 |
 kunrooted | okay, and any other security risks related to /nix/store itself? | 11:22:31 |
| kunrooted | ah, you type faster haha | 11:22:43 |
| kunrooted | In reply to @balsoft:balsoft.ru
Another slight issue is if you have a sufficiently controlled and influential nondeterminism source in your dependency tree, another kind of attack is possible what do you mean exactly | 11:22:59 |
| kunrooted | injection/hijack of some Kind? | 11:23:12 |
| balsoft | I can't give a concrete example right now but I think it could be possible | 11:23:48 |
| balsoft | Imagine that somewhere in the build there's basically if some_nondeterministic_condition then echo "malicious stuff" >> $out/bin/foo | 11:24:24 |
| kunrooted | my best idea was to inject a derivation which would build something like gtfo bin | 11:24:31 |
| balsoft | Then Eve can figure out the dependency tree of the system, and build this nondeterministic derivation with the condition triggered before Adam does | 11:24:59 |
| balsoft | But it's such a low-possibility attack that a sha256 collision is more likely I think | 11:25:20 |
 philipp | Redacted or Malformed Event | 11:25:30 |
| balsoft | In reply to @kunrooted:matrix.org
my best idea was to inject a derivation which would build something like gtfo bin What do you mean | 11:25:46 |
| balsoft | You can put whatever in the nix store, but the path will be decided by the nix daemon based on the derivation, that's the point | 11:26:07 |
| balsoft | If you just put "something" malicious in the store, it will not be used by other users unless they explicitly do it | 11:26:33 |
| kunrooted | so how can I Force them to use it | 11:26:58 |
| balsoft | Social engineering at best | 11:27:06 |
| kunrooted | And by gtfo bins I meant things from this project: https://gtfobins.github.io/ | 11:27:13 |
| balsoft | Nah it doesn't matter | 11:27:20 |
| balsoft | If you can convince them to run a random script from a nix store, then yes | 11:27:40 |
| kunrooted | okay so I can build the thing with exactly the same hash? | 11:27:40 |
 Synthetica | I sometimes do ls /nix/store/*-*/bin/mybinary to grab a version of a binary I've used before but don't want to nix-shell? 🤷🏻 | 11:27:57 |
| balsoft | Theoretically yes, practically it's extremely unlikely | 11:28:03 |
| Synthetica | I suppose that could be a security risk | 11:28:14 |
| balsoft | In reply to @synthetica:matrix.org
I sometimes do ls /nix/store/*-*/bin/mybinary to grab a version of a binary I've used before but don't want to nix-shell? 🤷🏻 Ah, yes, that's a really good one | 11:28:18 |
| Synthetica | so if you get your derivation with a sufficiently low (in orthograpic order) hash you can make sure you're first on that list | 11:28:57 |
| Synthetica | And maybe trick a user into doing something dumb that way | 11:29:09 |
| balsoft | The point is that it still requires a bit of social engineering | 11:29:26 |
| Synthetica | Yes of course | 11:29:34 |
| Synthetica | Or luck I guess | 11:29:48 |
