[ccache] Possible vulnerability induced by the use of MD4?

Raphaël Marinier raphael.marinier at gmail.com
Fri Jul 24 02:34:18 MDT 2009


2009/7/22 Martin Pool <mbp at sourcefrog.net>:
> 2009/7/22 Raphaël Marinier <raphael.marinier at gmail.com>:
>> Hello,
>>
>> I was wondering why ccache uses MD4 (which is cryptographically
>> insecure) to decide whether a file should be recompiled.
>
> Because it's much faster than sha256.

Has the impact of the slowness of sha256 compared to MD4 been measured
in ccache?
We can hash with sha256 at more than 100MB/s on a typical computer
(see http://www.cryptopp.com/benchmarks.html for instance).
Isn't that fast enough for ccache? (I'm no expert in ccache)

>> It seems that an attacker could take advantage of that to introduce a
>> vulnerability in the binaries of a software compiled using ccache.
>> Namely, an attacker could do the following:
>> - find two source files A and B such that:
>>   * the MD4 hashes of A and B are the same (published attacks to MD4
>> don't allow to do that directly, but since MD4 is deeply broken, it is
>> reasonable to think that it is possible)
>
> Note that they actually have to find two source files A and B such
> that {the result of preprocessing them on the build system, plus the
> command line options, plus the size and modification time of the
> compiler binary, plus the stderr from the preprocessor} will have the
> same hash.  That may be harder.  At least it depends on knowing
> precisely what build environment will be use, and knowing that no
> relevant headers will change between the two stages.

Yes, it is of course not very easy, and overall, the attack is very
contrived as you said. (but still, MD4 is broken, so we shouldn't rely
on its security).

--
Raphaël


More information about the ccache mailing list