On the need for a secure software update protocol (Re: Software updates work (Was: Re: [97all] Reflections from IETF 97))

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 13 January 2017 16:25 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AA05F129468 for <ietf@ietfa.amsl.com>; Fri, 13 Jan 2017 08:25:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WCNrzTYjQSk4 for <ietf@ietfa.amsl.com>; Fri, 13 Jan 2017 08:25:29 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E10B129444 for <ietf@ietf.org>; Fri, 13 Jan 2017 08:25:29 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id D3D3C20183 for <ietf@ietf.org>; Fri, 13 Jan 2017 11:45:03 -0500 (EST)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 0E9606381A for <ietf@ietf.org>; Fri, 13 Jan 2017 11:25:28 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: IETF Discussion <ietf@ietf.org>
Subject: On the need for a secure software update protocol (Re: Software updates work (Was: Re: [97all] Reflections from IETF 97))
In-Reply-To: <C7129E67-758E-4930-B24A-0D643CF6F9BB@ietf.org>
References: <18F53808-425A-40EA-BFA2-CD84FB804CAD@ietf.org> <E8355113905631478EFF04F5AA706E98704998EB@wtl-exchp-1.sandvine.com> <C7129E67-758E-4930-B24A-0D643CF6F9BB@ietf.org>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Fri, 13 Jan 2017 11:25:28 -0500
Message-ID: <28475.1484324728@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/tomCiGKmwz2OVW7vg62lxIQYYOk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2017 16:25:32 -0000

A question was asked:
    > "At the very least, I think it would be beneficial for the IETF
    > community to continue to call attention to folks that the minimum bar
    > when introducing a large number of devices (or any device) to the
    > Internet includes things like automatic software updates and avoiding
    > default passwords. "

Some background: I have used the Freescale based redwire econotag in a number
of projects, going back to before the term "IoT" was around. (as an aside
[please change the subject if you reply] I contend that 90% of the Web
Connected Things we are having problems with are not actually IoT as the
*IETF* thinks of it).

The econotag has 96K of EEPROM, and 128K of ram. When I first started using
it, that number seemed to be 96K of EEPROM and 32K of ram.  Definitely a
class 2 device.  It turns out that the default mode of operation is to
copy the EEPROM into ram, and then run from ram as the EEPROM, while
directly addressable, is much slower and more power hungry to access.

My Contiki build, with debugging and RPL and some actuator code was 60K.
Ugh. How can I field upgrade the device if I can't double bank the code?
Could I optimize the build down to 47K? (2*47K + 2K for some failsafe boot
code I'd never update).
Should I instead wait for Moore's law to give me 128K of EEPROM?
I never did solve the problem for this device, and I think that many
engineering managers go through this same struggle.  In the end, Moore's law
doesn't help, for two reasons:
  1) bigger devices are expected to do more to justify their cost.
  2) over time, code will expand to deal with flaws, and so will eventually
     break the double-bank boundary.

In the case of the econotag, I observed that I probably could do something
like update the EEPROM code while running from RAM, and maybe I could even
make things fit through compressing the code in EEPROM and extract it to RAM.

But, it got me thinking about how the network could help here.
In the olden days (and in my lab today, with uBoot on a variety of
platforms), one uses tftp to boot the image you want.  tftp has a ton of
problems.  They range from congestion collapse of low speed links if multiple
clients power on at the same time, to IPv4 only, to insecurity of the
traffic... The USB ethernet on the RPI is unreliable under uboot, and I had
to resort to plugging them into dumber switches, because GbE PHY
negotiation often timed out after a cold boot, leaving the unit with a failed
DHCPv4.   All of these are quality of implementation issues, not protocol

So what I want is something as simple, code-space-wise, as TFTP, but secure
and fast as HTTPS transfering signed S/MIME objects, or 4108 blobs.  I want
to do all the crypto setup and certificate parsing in the main body of my
code, using the full capabilities of my "OS", and then leave enough session
key around in the eeprom so that the update blob can be downloaded with the
stupidest, simplest bit of code possible.   Such that the device can actually
restart if it loses network or power part-way through the upgrade.

I had originally envisioned some kind of TLS with a session resumption
ticket.  SLAAC host configuration with a stable private address (no routing
protocol, just 6lo/6man/efficient-ND). Use CoAP block mode rather than TFTP.

This is the protocol profile that I think woud be valuable for the IETF
to define.  It's not enough to let it be vendor defined, because we need the
code bases (servers and clients and perhaps relays) to be widely available.
We need them to be in PC BIOSs ("press F3 to enter secure reflash mode"), and
Mobile Phone "Recovery" ROMs.

Writing the above, I realize that there is an alternative as well: HTTP/2
with QUIC satifies much of the requirements, from what I understand.

Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-