Re: [Suit] How are firmware and firmware versions expressed in manifest?

Dick Brooks <> Tue, 09 June 2020 14:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E1DC3A03F2 for <>; Tue, 9 Jun 2020 07:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DuGjzLMsGrd5 for <>; Tue, 9 Jun 2020 07:18:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 619FE3A00B3 for <>; Tue, 9 Jun 2020 07:18:26 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 9A12C5C0097; Tue, 9 Jun 2020 10:18:25 -0400 (EDT)
Received: from mailfrontend2 ([]) by compute1.internal (MEProxy); Tue, 09 Jun 2020 10:18:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=/K7czX eIts98aw2QKQuHCvqG3fBrQwhWTO9sBZRvQMQ=; b=eSvA6+/Lv8V1iGqIrn6rrt a9wkG+qZLUAK0vzTIZ97GsYubEb6mMxhLYAn9EvYGt/9fgmn4mCUiQr7TmIvtIzz Lx3aYUwKIv0RUa14hHYkpfL/8HQqpVOiP6tmNg+K4z9YWGAh5aaFXPQ6jo+BMo1N 7JtA/x1FBkWx2CDmmp0hBslPMVhq0FjrWPbXFhnVDPh1roVeYLpqfx5p+VVIX7Kt RsDMaJcoI/FAKTfdU+3WoDb2Ncbqid3BVptTHgtr+1OYR647BQ6bpJRMLakZzav0 DzzOfLLxtFX4C5QxTmBPLrybbKeZjj/Jx91O1YzkISl+SMBGAvBPHPEMWd9QuD6A ==
X-ME-Sender: <xms:MJrfXsPW7xu5uHG4aVgeRihJ_r1ihiwwpCpGUyqe38NNkV75IfIVWg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudehgedgjeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvfhgjufffohfkgggtofhtsehrtdhgpedvtdejnecuhfhrohhmpedfffhi tghkuceurhhoohhkshdfuceoughitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlh ihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpedtteefjefffeeivdeigffflefg heekiedvffefleffheegkeeufedvtdfgudffleenucffohhmrghinheprhgvlhhirggslh gvvghnvghrghihrghnrghlhihtihgtshdrtghomhenucfkphepvdduiedrudelfedrudeg vddrvddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epughitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:MJrfXi-_y71iNU36uPTEgrxWFjXtDGEzr-5wNk0ANE7CKlBOmVUdsA> <xmx:MJrfXjT5ONYi9f9P4I97MHtuuCO1CaY-cW-hnIZ2Rhto2XXraYhnKw> <xmx:MJrfXks_-n4yhu-9PGXGvkVnr_pvTecFxtidj3d77ZS_fFLSHVUKWg> <xmx:MZrfXuoIkUUBHlRL_9j6LqvWfLApEVwNa1E53eCwHD9vesc8abYNoQ>
Received: from farpoint (unknown []) by (Postfix) with ESMTPA id 7C33F306218B; Tue, 9 Jun 2020 10:18:24 -0400 (EDT)
From: "Dick Brooks" <>
To: "'Eliot Lear'" <>, "'Hannes Tschofenig'" <>
Cc: "'Michael Richardson'" <>, <>
References: <> <8b6d01d639d0$62614150$2723c3f0$> <> <20437.1591317129@localhost> <1076601d63b3a$d53f5d90$7fbe18b0$> <> <> <5820.1591393073@localhost> <> <5789.1591484358@localhost> <> <>
In-Reply-To: <>
Date: Tue, 9 Jun 2020 10:18:20 -0400
Organization: Reliable Energy Analytics
Message-ID: <000001d63e68$d5d67190$818354b0$>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_0001_01D63E47.4EC65830"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEpJGg3Q76y3b59AZfDOO6eGr7fRAJUo0s2Am+d4lkB06Pk1ADWaYOUAhdO83ACM65vWAF5pebOAo/piAQCuLadxwEldBKmAnje01ypebYLYA==
Content-Language: en-us
Archived-At: <>
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Jun 2020 14:18:29 -0000

I agree with Eliot on this point “I like the concept, because in industrial much of the tooling is already flagging quite a lot of false positive CVEs.”


The current vulnerability reporting domain has a very poor signal/noise ratio (lots of false positives) and the latency between vulnerability discovery and CVE data repository awareness can be significantly longer than it should be to effectively mitigate a vulnerability.


This is perhaps the biggest problem I’m facing, making it difficult to determine an accurate trustworthiness level (score) for a software object.


I have to agree; MUD – what were you drinking when that became the best choice?




Dick Brooks

 <> Never trust software, always verify and report! ™


Email:  <>

Tel: +1 978-696-1788


From: Suit <> On Behalf Of Eliot Lear
Sent: Tuesday, June 09, 2020 5:27 AM
To: Hannes Tschofenig <>
Cc: Michael Richardson <>ca>;
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?



On 8 Jun 2020, at 13:27, Hannes Tschofenig < <> > wrote:


I have to look at the links Eliot shared but I hope that people are not overly excited about the value of having information about what software version is on their devices for the purpose of drawing security conclusions. You have been at many hackathons where we created firmware for Cortex M-class devices and we used, for example, Mbed TLS in many instances. Does this tell you anything about the security? Can you draw conclusions when you hear that version X has a security vulnerability? Should you be concerned when a security researcher was able to mount a fault injection attack against a specific MCU with a specific version of Mbed TLS running on it? No, not really because you have to know what compile-time configurations were used to build the firmware, what hardware it is running on and what run-time configuration is present.


Actually, the people who should be concerned are the manufacturers, who are going to receive calls from customers who have learned that the manufacturer used EmbedOS but didn’t know that the option in a particular device is disabled.  This is an aspect of SBOMs that is understood to be problematic, and so discussion is gradually shifting to something they call Vulnerability EXchange (VEX) (I hate the name, but as someone who created something called MUD I have no real leg to stand on).  The idea behind VEX, fuzzy as it is, is that one would be able to query to determine if the manufacturer has investigated and affirmatively determined whether a particular product has a particular vulnerability.  I like the concept, because in industrial much of the tooling is already flagging quite a lot of false positive CVEs.