Re: [Suit] draft-ietf-suit-architecture-01

Brendan Moran <Brendan.Moran@arm.com> Thu, 12 July 2018 14:20 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80109130E55 for <suit@ietfa.amsl.com>; Thu, 12 Jul 2018 07:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VY1WqoQWEEj3 for <suit@ietfa.amsl.com>; Thu, 12 Jul 2018 07:20:02 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0606.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::606]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A3CC1310F8 for <suit@ietf.org>; Thu, 12 Jul 2018 07:20:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1CEFDjOe112wePRhngwQOe/ldaZVwoaeMyeaTyMr1w4=; b=S9WD42/zmahfTG8Ch+JBymUbPnXLIRbqtkmkx+e4cVJb2MlIpfkmaOW2hbGPZiFR65E5r5I6aGMZpJ8haWAmuSGxut2MZFL8DRKaRMLoN8eLuyttso68IqYAmh1B6vN0qXloVQInC1qbks8FDbrNneXDFKBdCQ7J+qZhdOuxBJs=
Received: from AM4PR0802MB2260.eurprd08.prod.outlook.com (10.172.217.150) by AM4PR0802MB2129.eurprd08.prod.outlook.com (10.172.216.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.17; Thu, 12 Jul 2018 14:19:58 +0000
Received: from AM4PR0802MB2260.eurprd08.prod.outlook.com ([fe80::3c9f:d4ca:23a0:2aad]) by AM4PR0802MB2260.eurprd08.prod.outlook.com ([fe80::3c9f:d4ca:23a0:2aad%4]) with mapi id 15.20.0952.017; Thu, 12 Jul 2018 14:19:58 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: David Brown <david.brown@linaro.org>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Denis <denis.ietf@free.fr>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] draft-ietf-suit-architecture-01
Thread-Index: AQHUErR5GmKFWAWt3UWTuHjbKxqWO6R9qEJWgA4JJ4A=
Date: Thu, 12 Jul 2018 14:19:58 +0000
Message-ID: <ABA348F9-735F-41DA-A57F-D43093455C00@arm.com>
References: <VI1PR0801MB2112A08944328EE625D4DE5CFA430@VI1PR0801MB2112.eurprd08.prod.outlook.com> <ec04d5da-0b76-f4d7-c548-e69579530856@free.fr> <VI1PR0801MB21127B3F43736CA592FD52B5FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CD3C4129-5F07-406A-B688-ECF773B4371C@linaro.org>
In-Reply-To: <CD3C4129-5F07-406A-B688-ECF773B4371C@linaro.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.8.2)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.96.140]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0802MB2129; 7:pIUSZU8/aUVkwkqxE83eQJDt2EsDC3GxJGUmZ7Q8/1kHd6xkTJIuye4U2A798I7H6tv3a+9fw+CrBlzzRF+8TTDhCD6VDSz7qKB1EygkrWbifawtmoAIx87Z+R1WcBoUe/BpGQksQNNp8owFDUSG1tNKRFH4PHYNNIwfPm7+jFToAhYjiFPWNQbJxXooQYvBNqKSVSBV35QM1iAlMHkSy1fyvyhLEG7cJ9W6OEXV/jfc9llatsbIUTJ/P5ltwrRi
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-ms-office365-filtering-correlation-id: 55192e68-5c79-4abd-9e49-08d5e8028c6f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(7193020); SRVR:AM4PR0802MB2129;
x-ms-traffictypediagnostic: AM4PR0802MB2129:
x-microsoft-antispam-prvs: <AM4PR0802MB2129B110FCA6ED425FB2F445EA590@AM4PR0802MB2129.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(191636701735510)(180628864354917)(192374486261705)(223705240517415);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231311)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:AM4PR0802MB2129; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0802MB2129;
x-forefront-prvs: 0731AA2DE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(39860400002)(366004)(396003)(136003)(40434004)(189003)(53754006)(199004)(54094003)(106356001)(7736002)(186003)(4326008)(57306001)(966005)(316002)(54906003)(2900100001)(3846002)(6116002)(33656002)(8936002)(53546011)(6506007)(93886005)(8676002)(102836004)(26005)(76176011)(81156014)(83716003)(50226002)(68736007)(446003)(81166006)(99286004)(82746002)(6486002)(2616005)(6512007)(86362001)(10750500005)(54896002)(6306002)(53936002)(486006)(6436002)(478600001)(5660300001)(2906002)(236005)(36756003)(476003)(11346002)(256004)(5024004)(18074004)(14444005)(6246003)(229853002)(5250100002)(25786009)(6916009)(72206003)(14454004)(66066001)(606006)(97736004)(105586002)(15866825006); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0802MB2129; H:AM4PR0802MB2260.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 1pgJL+IYQvVDKMCkEZv9D20zNl3ANRHeAdn3l4ZtecbA4RhRDPWtmscc0IvnuMr5O+6JdL4s/pYtTQnXlFAnlUQYNRCLjB4QMgI2JuNghqpPv47P5SllOgm/ZYROYz8c21QZsT07GtJj9vGe+gHbfzAUAewvVnwO7YBp8YauoIzXdpaHT8NSejKNPN2GtZvWzEwsuBOZgatTXfVL3xaxgFDrrDEjpJlhPee41oFXUzuL2V/9gHtRmDdzWqd1YRUYyzHJgDNaPNoW047t3VWSjrehEU5r9Ml+mIfCvnv35u87Bdf1shLbKfdb4VpDUITiOwyodCnBvvfWnowy5oCYDrPibik0vUf6FBfiWnTURX4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_ABA348F9735F41DAA57FD43093455C00armcom_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 55192e68-5c79-4abd-9e49-08d5e8028c6f
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2018 14:19:58.5426 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0802MB2129
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/S-bm_ZEVDvmRaTXLL_P70EJOX0M>
Subject: Re: [Suit] draft-ietf-suit-architecture-01
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 14:20:07 -0000

Hi David,

I think there’s insufficiently precise language somewhere in the architecture document. This is absolutely not the intent of the architecture. Locally-initiated rollback is a necessary feature for guaranteeing the reliability of a device.

The specific threat we’re trying to defend against is:

  1.  Device X has firmware A.
  2.  Firmware Authority releases firmware B
  3.  Device X is updated to firmware B
  4.  Malicious actor finds vulnerability in firmware A that is no longer present in firmware B.
  5.  Malicious actor reissues firmware A to device X
  6.  Device X reverts to firmware A
  7.  Malicious actor exploits device using firmware A.

This means that it is dangerous to have any remote triggers for rollbacks without strong guarantees of authenticity.

So, how do we prevent this scenario while providing a lightweight way to trigger an authentic rollback?

I think this is actually an optimisation problem. Is the client smart enough to look for a local copy of a resource before fetching it remotely? Does this need to be addressed in the manifest directly? I haven’t seen a compelling argument for that yet.

Notwithstanding the above, the way to refer to a “built-in” image is to refer to it by uri: file:///, for example. I don’t think there’s a uri namespace for numerically addressed storage (raw flash). I should note that URIs are optional. That is intended for use when a device knows where to look for updates without being told, and behaviour is implementation-defined. An appropriate approach to a manifest that has no URI is to walk through available sources of resources by cost, checking if they have the specified payload (by hash). The lowest cost is the local storage, which would solve this problem, I think.

Does that address the problem?

Thanks,
Brendan


On 3 Jul 2018, at 16:59, David Brown <david.brown@linaro.org<mailto:david.brown@linaro.org>> wrote:

I had an interesting conversation with someone building a device (a battery powered device, where network traffic is expensive). When they update the firmware, they keep the previous version around, and have an ability to roll back to that version in case there are issues.

I presented the argument that the correct answer is to re-release the older firmware, with a new higher monotonic value. Their counterargument was that this was costly in terms of power, because it requires the image to be resent.

I think the best answer here is to have them issue a new manifest that describes this old image (the one kept around), that has a new monotonic value. That way, only the manifest has to be sent (something has to be sent to tell the device to revert the image anyway). I think this model is covered in our current docs, since we don’t really define how a “built-in” image is referred to.

But, this does make me realize that there are times that things can be spelled out clearly, usually for security reasons, that end up getting disabled due to what someone thinks is a practical reason. I agree that preventing rollback is important for security, but I’ve found myself arguing against these practical cases multiple times.

I wonder if it would be worth writing up a use case to capture this particular revert case, and how that can be addressed with the model we currently have.

David

From: Suit <suit-bounces@ietf.org<mailto:suit-bounces@ietf.org>> on behalf of Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Date: Tuesday, July 3, 2018 at 8:59 AM
To: Denis <denis.ietf@free.fr<mailto:denis.ietf@free.fr>>, "suit@ietf.org<mailto:suit@ietf.org>" <suit@ietf.org<mailto:suit@ietf.org>>
Subject: Re: [Suit] draft-ietf-suit-architecture-01

Hi Denis,

I think the risk of installing an old firmware version is covered in the information model document, which goes into the details of what a manifest has to contain. See Section 3.2.1 of https://tools.ietf.org/html/draft-ietf-suit-information-model-01

There are essentially three types of documents the working group is aiming to produce: an architecture document, the information model for the manifest and one or multiple serialization formats. You have been looking at the architecture but the appropriate document to read is the information model spec.

Ciao
Hannes

From: Suit [mailto:suit-bounces@ietf.org] On Behalf Of Denis
Sent: 03 July 2018 11:59
To: suit@ietf.org<mailto:suit@ietf.org>
Subject: Re: [Suit] draft-ietf-suit-architecture-01

Hannes,

It is well known that software updates are often done to address a security issue. The same applies
to firmware updates. The current draft is lacking to address protections against the downloading of
an old firmware version. The threat should be mentioned in the security considerations section.

The main body of the document should mention mechanisms to prevent the replay of an old version
of the firmware.

Denis


Hi all,

I have just submitted version -01 of the architecture document. I have incorporate feedback from the working group, such as

  *   New terminology,
  *   Updates on the operating modes
  *   New architecture figures,
  *   New use cases (by David Brown)


Here is the new version:
https://tools.ietf.org/html/draft-ietf-suit-architecture-01

Here is the diff:
https://tools.ietf.org/rfcdiff?url2=draft-ietf-suit-architecture-01.txt

Feedback is appreciated.

Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.




_______________________________________________

Suit mailing list

Suit@ietf.org<mailto:Suit@ietf.org>

https://www.ietf.org/mailman/listinfo/suit


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Suit mailing list Suit@ietf.org<mailto:Suit@ietf.org>https://www.ietf.org/mailman/listinfo/suit
_______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.