IETF Logo Mail Archive

Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 11 June 2021 23:31 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1DC63A1213 for <suit@ietfa.amsl.com>; Fri, 11 Jun 2021 16:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6Nq2xc4KnTJ for <suit@ietfa.amsl.com>; Fri, 11 Jun 2021 16:31:26 -0700 (PDT)
Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C3443A120C for <suit@ietf.org>; Fri, 11 Jun 2021 16:31:26 -0700 (PDT)
Received: by mail-yb1-f175.google.com with SMTP id h15so6513926ybm.13 for <suit@ietf.org>; Fri, 11 Jun 2021 16:31:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9XlltkVkJo8nyAEzQ2Z8Nti96YWtJQ4Vlhkfjxodv4U=; b=B3AbQ9eTLbMvnuaT1eyx7SkYdw0Gi9o3/fO2cmLVpotPXvfiydPG6mfdsG2uMopo4E oWp4kS9M5t/FuvyIojZ9d1bZ+kr48azNSyZ/VN0EtBmXEokG0/OLL4fpdCsnP1xeP1wB YjBjbyJDTQ9He4u2MEaVJSk8Hp4UfJk5Pj7Dqq8daHQH9ldWukqbKm8zEjfloyFEZxXQ tyZ+RXtpyR9yizy/nmg/snKOjv7VHJPODkvldM2SYqzgwNZtcCjr8FD4x8dAKQYW7nxK +a94CFA3H3QnjSFWv33mNyNg4P0tgK8RPbzfwpP/KQ+Hp/4mfeuRW3UYf8P0VHUI8mlL digQ==
X-Gm-Message-State: AOAM532EKlMJIIRooDLL2S57Ha4XawprVmOrZ6G71Uc1HBBxEyN87Q5z CVzz4NfafMYGI/Bx0+NAvloPFYw1ps5RfxY2YaE=
X-Google-Smtp-Source: ABdhPJy2bRpa6UAP40YxyXVkg7TTcnhv1ZGW0tJlqxtCGUjoyWKFhQHBeD0yxwQQ/2c5dRqoGLbCT1DiqJVTbQ8oKys=
X-Received: by 2002:a25:660b:: with SMTP id a11mr9115711ybc.172.1623454285128; Fri, 11 Jun 2021 16:31:25 -0700 (PDT)
MIME-Version: 1.0
References: <0f9601d75adf$5856cf50$09046df0$@reliableenergyanalytics.com> <DBBPR08MB59155DB5DBE123F55B25894BFA359@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAMm+Lwg36Y-tpB+XTwYYpC3psCNEj3O33BzrnzzC8gtMjgkD3Q@mail.gmail.com> <DBBPR08MB5915A4EAB8B59778AD9DCAD9FA349@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAMm+LwjOttzKEA8=BkLJw1-n8RthEtYwToiUkix8=83c-TnkQw@mail.gmail.com> <8419.1623451796@dooku>
In-Reply-To: <8419.1623451796@dooku>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 11 Jun 2021 19:31:14 -0400
Message-ID: <CAMm+LwjTeGNPwMxizpELnyky4-_fAP6b2MbtH6LP8ndSW-mM0Q@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: suit <suit@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f9690505c485e7fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/DdbSCIkCQMZaCTznRgmQ-W97lDM>
Subject: Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 23:31:31 -0000

On Fri, Jun 11, 2021 at 6:50 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Phillip Hallam-Baker <phill@hallambaker.com> wrote:
>     > Authenticode only signed the software distribution package, most of
>     > what has followed has done the same. That is a useful control of
> course
>     > because an installer is an executable that runs on the machine. But
> it
>     > is necessary but not sufficient: Every executable, every piece of
>     > installed data should be signed without exception.
>
> I think that there are existing mechanisms to embed signatures in ELF.
> There was a lot of discussion, I think, about how the signature was visible
> or not visible to regular tools.  Some mechanisms basically hid the
> signature
> at the end of the file, pretending that the file was shorter when treated
> as
> an executable.
> Other people wanted it in some other resource record, but then there were
> concerns that the signatures would get lost in backups, etc.
>
> So there have been patches to Linux to verify the signatures before
> executing.  I think that this has been done on other platforms, and there
> are
> even MCUs that can verify and even decrypt code transparently as it is
> executable.
>
> Are you thinking at this level?   Always?  Sometimes?
>

Given that this is a submission to govt. I am not particularly concerned
with the normal process of socializing a proposal in the Linux proposal.

This is the sort of area where if govt. sets a specific, achievable
requirement and puts up a relatively modest amount of cash, change is going
to happen. And don't forget that the reason Ubuntu exists in the first
place is that Mark Shuttleworth (appropriately) had a bee in his bonnet
about code signing. I really don't see this as a heavy lift

The harder part is all the checking and certification that has to take
place in order to know that a theoretical security control is an actual
one. It takes quite a bit to make something the default. But this is
something that a lot of parties have interests that could be met at the
same time.

Take Java and .NET code. Both require a runtime library support to run.
Both seek to provide cross platform binary compatibility. Wouldn't it be
nice if there was an industry standard agreement on one packaging format
for an executable that will work on Windows, Linux and MacOS on any CPU?

If we want to get really serious, we will need hardware support so that
file digests are checked as pages are mapped into memory.




>     > am merely saying that they have to define one, they have to show that
>     > all the necessary operations are inside it and that everything inside
>     > it is sufficiently secure.
>
> I think that there is an additional part: resilience of the whole to
> failures
> of the pieces.   Having one large perimeter is not as good as having many
> small ones, except some consideration of economies of scale.
>

Yes, and I am happy to leave that part of the problem to those concerned
with specific deployments.



> ...
>
>     > It is worth pointing out that the reason colonial pipeline was
> affected
>     > so badly was probably that they were sending multiple types of fuel
>     > down the same pipe in batches. That game is only going to work if you
>     > can absolutely guarantee that you aren't going to put the load of tar
>     > into a tank full of top grade aviation fuel. So their problem
> probably
>     > wasn't on their actual operations side itself, the thing they were
>     > looking at. They had not understood that the database of what fuel is
>     > where was actually critical to operations.
>
> So that was really their problem, they lost their inventory list?
>

That is my informed guess after reviewing some non public info and reading
between the lines in various communications.

v2.8.7 | Report a Bug | By Email