[Box Backup] FreeBSD Security Officer's take on Box Backup

Chris Wilson boxbackup at fluffy.co.uk
Sun Jan 7 15:45:21 GMT 2007

Hi James,

I'm not the expert, but my understanding is:

>> The third popular suggestion I received was Box Backup. The
>> "Programmers(sic) Notes" included are a bit difficult to understand;
>> it sounds like boxbackup does use some very complicated magic with its
>> "encrypted rsync" to allow some old bits of files to be removed, but
>> I'm not sure if this includes intermediate versions of backed-up files
>> or only the versions which are the oldest at the time.

It's not rocket science, although I'm sure it wasn't easy to write. It's 
just reverse diffs/patches, but encrypted.

>> The later possibility is fine if you only really care about having a 
>> backup of the most recent version of everything, but it's not useful if 
>> you want (as I do) lots of recent backups but far less frequent older 
>> backups.

That is a fair criticism. We are working on it. Snapshots of the entire 
system state at a given time, which should be a feature in 0.20, will help 
a lot.

>> Box Backup also leaks more information than I'm comfortable with; it
>> allows the 0wner of the system on which the backups are being stored
>> to identify
>>     * The structure of the directory tree,
>>     * The number of files in each directory,
>>     * Approximately how large each file is, and
>>     * Which files have been modified.
>> I'm probably far more paranoid about such things than most people; but
>> I would not want an attacker to say "hey, Colin just updated
>> /lib/libcrypto.so.4 on his server; there must be a new OpenSSL
>> security vulnerability"; even worse, if I used Box Backup, such an
>> attacker could likely figure out which files I had recently modified
>> in /usr/src in order to narrow down his search for whatever
>> unannounced bug I had just patched.

I don't think this is valid. You don't get the directory tree (even 
encrypted); you can't read directory or file names; you would have to 
figure out which directory is /lib or /usr/src by setting up a system 
similar to your target's, running box backup to upload to a server that 
you control, and comparing numbers and sizes of encrypted files in each 
directory on your server and his.

This is not an exact science and if you can't guess what software might be 
installed on your target's system with reasonable accuracy, all bets are 

I can't see any way of identifying "/lib/libcrypto.so.4", or any other 
unremarkable file in a directory of similar files, on a backup store with 
any degree of confidence at all.

Cheers, Chris.
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

More information about the Boxbackup mailing list