[Suit] AD Review of draft-ietf-suit-information-model-07
Roman Danyliw <rdd@cert.org> Thu, 17 September 2020 18:33 UTC
Return-Path: <rdd@cert.org>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08C1C3A0F2B for <suit@ietfa.amsl.com>; Thu, 17 Sep 2020 11:33:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqlW_gRkMpyP for <suit@ietfa.amsl.com>; Thu, 17 Sep 2020 11:33:21 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02C1E3A0F1E for <suit@ietf.org>; Thu, 17 Sep 2020 11:33:20 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 08HIXJQw016426 for <suit@ietf.org>; Thu, 17 Sep 2020 14:33:19 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 08HIXJQw016426
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1600367599; bh=S7r0W1dVuBHjbg8Fz21k+AWCCCdLg8N3DZSFO4ECdak=; h=From:To:Subject:Date:From; b=JrJBbgheo/LwGxQaqqP+8kh1mEYoz2elguzFJKBIDdvZv3Papz3I1hvXdhAgp9Nuh M7D4engINn/YsjBBNhJx8pNsN9Z+eEwzIblOZSQA80iySGmFKvRDecZb9sYldr8p2k RCmD0CnxM37baxUX4ioDWFmshVsVEVXQYtwn42jo=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 08HIXJ7q037156 for <suit@ietf.org>; Thu, 17 Sep 2020 14:33:19 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 17 Sep 2020 14:33:19 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Thu, 17 Sep 2020 14:33:19 -0400
From: Roman Danyliw <rdd@cert.org>
To: suit <suit@ietf.org>
Thread-Topic: AD Review of draft-ietf-suit-information-model-07
Thread-Index: AdaNIHWEeG7nzIQrT0u9TuqH6YXUVw==
Date: Thu, 17 Sep 2020 18:33:19 +0000
Message-ID: <7da85a7c7657486bbe987fdaf5451245@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.201.56]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/PCNgwoCRh_h0POes7ZYh6opYMJ8>
Subject: [Suit] AD Review of draft-ietf-suit-information-model-07
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 18:33:23 -0000
Hi! I conducted an AD review of draft-ietf-suit-information-model-07. Thanks for the thorough and systematic treatment of the security considerations. More detailed feedback is below: ** Abstract. Per "... have raised the need for a solid ... firmware update mechanism", could an alternative to the colloquial "solid" be used. ** Section 3.2. Per "This number MUST be easily accessible so that code choosing one out of several manifests can choose which is the latest", what are the additional properties of this number? I don't follow how "easy accessib[ility]" is related to the ability to compare several values to "choose which is the latest". Do you mean that "its' not buried somewhere at the end in a complicated encoding"-kind of accessible? **Section 3.5. What is a conditions list? This is this first use of the word in the text; and it isn't defined in the architecture document. ** Section 3.5 and 3.9. Both of these sections call out a "enables feature" mapping. Where is the full list of these features? Why don't the other manifest elements have that mapping? ** Section 3.7 and 4.3.3 Both of these section make references to "secure time" or a "secure clock". Is there a reference to provide on what that bar might be? ** Section 3.15: There is an implicit design here around what is "wrapping" the manifest that I'd like to clarify. Specifically: -- Per "This is not strictly a manifest element", if so, editorially, why it is listed as a manifest element? -- This section doesn't explicitly describe what a "Signature" element is. What information does it encode? -- Per "The authentication container MUST support multiple signers and multiple signature algorithms", what is the scope of the signatures (i.e., which subset of the manifest elements?)? Do the multiple signatures always sign the same thing? -- What exactly is a manifest vs. "a standardized authentication container"? Can a standardized authentication container have multiple manifests? -- What is the relationship between this "standardized authentication container" and a "manifest superstructure"? -- What other information elements go into the "authentication container"? ** Section 3.15. Per "Lightweight authentication with pre-existing relationships SHOULD be done with MAC" -- What is a "lightweight authentication"? -- If it's not done with a MAC (which is a SHOULD), how is this done? -- Can "pre-existing relationship" be clarified.? ** Section 3.20 - 3.24. These sections do not provide guidance on whether these elements are OPTIONAL or REQUIRED. ** Section 3.9, 3.16, 3.21. To check my understanding of the order in which 3.9, 3.16 and 3.21 are applied -- Section 3.9 is used to guide the decode a payload, Section 3.16 is applied to decide when to run the payload and Section 3.21 used to guide how to load the payload when it is decide it should be run? ** Section 3.21 and 4.5.10. My read of Section 3.21's "This is effectively a copy operation from the permanent storage location of an image into the active use location of that image. The metadata ..." left me with the impression of a very narrow capabilities. However, Section 4.5.10 suggests a richer capability "It MUST be possible to specify additional metadata for load time processing of a payload, such as cryptographic information, load-address, and compression algorithm." I would have expected that richer description in the definition of the information element, not in a requirement. ** Section 3.23. Per "The Payload element provides a recipient device with the whole payload ...", the text current defines the "Payload" element name by simply repeating the word "payload". Is "payload" the same as draft-ietf-suit-architecture definition of "firmware image"? If so, it would be worth saying that. If not, what is the relationship between them? ** Section 3.24. Can you clarify the statement of the key claim not being authenticated. I'm taking "authenticated" to mean not signed by the Signature element -- assuming this is in the manifest, what other information elements are in the manifest but not authenticated? ** Section 4.2.2. Editorially, this attack is titled "ROLLBACK". This characterization doesn't seem right as the device isn't being downgraded to a version older than it is currently running. It just isn't getting the latest version. ** Section 4.2.2. I think we need to soften the "mitigated by" language. REQ.SEC.EXP is invoking an optional features usable only when certain devices (i.e., those with secure clocks) ** Section 4.2.2. Is there another exposure here to discuss with the use of Expiration Time if the author goes out a business? Consider if the device is running version 1 and is offline for a while. The author publishes version 2 with important patches but puts an "expired time" in it. The author goes out of business. The device wakes up and tries to download the v2 from the firmware server but rejects it because it has expired. Now the device is permanently vulnerable even though a "fix" is available. ** Section 4.2.5. The reference for the mitigated by should be Section 4.3.6 (not 4.3.5). ** Section 4.2.7. In the spirit of inclusive and more precise language, s/THREAT.NET.MITM/THREAT.NET.ONPATH/ (or some other way to say "on-path attacker" instead of "man-in-the-middle") Regards, Roman
- [Suit] AD Review of draft-ietf-suit-information-m… Roman Danyliw
- Re: [Suit] AD Review of draft-ietf-suit-informati… Brendan Moran
- Re: [Suit] AD Review of draft-ietf-suit-informati… Roman Danyliw