[Suit] Valid but partial updates (possible threat)

"Rønningstad, Øyvind" <Oyvind.Ronningstad@nordicsemi.no> Mon, 08 June 2020 11:36 UTC

Return-Path: <Oyvind.Ronningstad@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FD5E3A08E2 for <suit@ietfa.amsl.com>; Mon, 8 Jun 2020 04:36:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeOHqmavCtP2 for <suit@ietfa.amsl.com>; Mon, 8 Jun 2020 04:36:50 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2071.outbound.protection.outlook.com [40.107.22.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B45AA3A086D for <suit@ietf.org>; Mon, 8 Jun 2020 04:36:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F1WExdJ3ethZ/a7Q1eERNi+PQlyZ5VXSABEOVZ/ZAlrJh746qnh8qrpaE2dGxTp35QXiKY/Ed66TIEgjmJHEv3nN9hfIwqMrQtsQ4xlIDR01fK8RFUlkYTE8AbCx9K/btDDGH9qpaYsSM//34EFonyU3s+L2a7/4xbMjJOtcv6lhXiCdIXoiMGxAgOFIVFfeDHkb8EL0Hln+vxcZbmVmvyC1sbNtvr6wQQF5x0B8YbJSAi3oX4l2DrborWJ48fM6vza4DolN9ZYnC92qt06CY1hDJRgKLHJ5fhFdBYRae0U2qRMvyi7GvPU8QW1KWOx1M5ikA1v+xQvDK4+FIRnhZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktcyK0x/gKL4yTuHk38N0/QmlBTcJAgZfa4NTi5ee9k=; b=e6RN/Jo1K/7i992q7D0UYpVeSlju6PL0p+aD9P0/W8NdNYCZuhxxD9xjLSTId5osqFDD0crYAtSsiwfsnPiyc5JO3vZNYHXLMEz51mO/PEnckcDSJ5o0lyNpUtdYXI8PC96bkwWMNzeBBpAOZRU7o1b02QafDFiXbvj6uKFDr95iosCqcUWjZBC2YS1u/w/byMNYoNt2+l6eN/KbUTYTUSwzWPtXVedVhLeohGkq05/oprYtNHaIIBfyO2J8uRUrbBHBSbgQV46JXEdBhfWc6WfKf6wV207DhEflhYnz78Khcc+uzueCf1VCEDxMQfePPsrxrcDr3UwQ97jg0oV4hg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nordicsemi.no; dmarc=pass action=none header.from=nordicsemi.no; dkim=pass header.d=nordicsemi.no; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.onmicrosoft.com; s=selector2-nordicsemi-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktcyK0x/gKL4yTuHk38N0/QmlBTcJAgZfa4NTi5ee9k=; b=SqfsaWz1lNXVfr6aLmvj2ERXfS7lZlmz0wWeqZx9Ssj7G9vazLA5OkS93jRwac6SuhbM4TgN0Nvv84/8cM8jd34HT2+HnVgElpRF8hN3Y+YxOKbvOwQ2nhkdfZr+D9MfNi99MOGU19kponZloczF9MdvQUgxVmqBSEYTUDBIPzI=
Received: from AM0PR05MB4339.eurprd05.prod.outlook.com (2603:10a6:208:67::17) by AM0PR05MB4356.eurprd05.prod.outlook.com (2603:10a6:208:58::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Mon, 8 Jun 2020 11:36:44 +0000
Received: from AM0PR05MB4339.eurprd05.prod.outlook.com ([fe80::3911:9394:f1a3:660c]) by AM0PR05MB4339.eurprd05.prod.outlook.com ([fe80::3911:9394:f1a3:660c%7]) with mapi id 15.20.3066.023; Mon, 8 Jun 2020 11:36:43 +0000
From: =?iso-8859-1?Q?R=F8nningstad=2C_=D8yvind?= <Oyvind.Ronningstad@nordicsemi.no>
To: "suit@ietf.org" <suit@ietf.org>
Thread-Topic: Valid but partial updates (possible threat)
Thread-Index: AdY9hz9HHRG3eHplSsijjyFulvlEYA==
Date: Mon, 8 Jun 2020 11:36:43 +0000
Message-ID: <AM0PR05MB4339615FC81DB1B90F72BBEB88850@AM0PR05MB4339.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nordicsemi.no;
x-originating-ip: [2001:8c0:5140:12:48c6:23d0:5484:5a84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 688933e4-dc4f-4199-aeae-08d80ba03844
x-ms-traffictypediagnostic: AM0PR05MB4356:
x-microsoft-antispam-prvs: <AM0PR05MB4356B56DB468B9ABB04112BB88850@AM0PR05MB4356.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 042857DBB5
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mXH+3XuF35ETbcRRmEVMZuaRd4NI2vpMi9ioJ5TZCrsPnsiLtXMrFc1Mr6vwsvsqJ/qJRrpMIrHB86P4oITmpa4ovpx9DOKKhioo0TYyOrbWuZKKEfdORZQBIcvYi5TgErKZ0x8A60E7/WecMyNlV5khkL3xpNHNLBlhqGPjAy4oOfXRExIAX0iLt8WHGqHF8xaqFQG14FArUvcHERl6RxuhIdbXZke+tkpoVyzHIBkBl/fJ94MwXTcFOfJ0sL2gomPPEIb3IlSZ/RmHpskbXBWVFcuwGr2SRr0ERUyOm/5PRzq7J4gHL4kFuUI0xD70sexIB6emy6aHYQtx47yZcw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR05MB4339.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(376002)(39850400004)(346002)(366004)(396003)(6916009)(316002)(66574014)(186003)(86362001)(83380400001)(71200400001)(2906002)(7696005)(33656002)(6506007)(8676002)(52536014)(55016002)(66476007)(66946007)(66556008)(64756008)(66446008)(8936002)(478600001)(5660300002)(15650500001)(9686003)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: XrLHEvz1VAb4aBcQuCVXbimUUNqSxb6LQyJbvLloHYipbt2uUTD9nU3MRomN1zqnK+fKJ50xtn2NodVc5+S0eCRM/oZfppdeB/QzcJwTliSzKZXC9bre678f/LOpsHF5HfOsHmqMhmlkW8VX8VDlzw2pVtJKYdmOBtrZUpgbphpwOKMucDKMRjnHX0ZOkVpPTyuc7jCrtTK0beqQEXsAdyVRUKO6TYxkSkMTzxXDPTaPwQu68Mi7p9jHIAudKOoVQMHEz+9iaZP1NUafLaMiRYcLWtJt3X2yHZGmm0DI6s3TKtJTwr2Qh9w8+sG6gfm4MZJsD/C4UgBu0VR7uhgbqFuH6C8PEh8EhYVpvTNtbhhQHMWQaXTdIufxNa8D+lAzAyX+p08afZsKee1oxuHQuZLXTmciHea7HBnJD7QqHjBdrxUbjVYh94ahkyPzwSWxTTPxtaEwagVXPHUsrffvIXt+tL7n87Iz7YALnMrlrwyiWKWpOqWKcQHk0Gnuwv37yv8GjRuqiXThI1n2YBMcgwOsgbYQgjyT3qOAOGx7v0c=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-Network-Message-Id: 688933e4-dc4f-4199-aeae-08d80ba03844
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2020 11:36:43.8643 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TZgrCYAgE3KCiK/DlbutquCXNEmBe8DwhOjqPCnbQfspHaV5+f5hfVOaoLZyfWp97Az6bg8MTr+erY6xf8eJ6EJ/ocwfGBVqI+zgMm2asPFpltclHrdw+svLWKCZrdOv
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR05MB4356
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/cggyNP9nUT-iZvyvIy7ELF5dTlM>
Subject: [Suit] Valid but partial updates (possible threat)
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 11:36:52 -0000

Hi
I have a concern about root manifests. By root manifest I mean the manifest that describes the whole coordinated update (all payloads, dependencies, and conditions). For secure boot, the root manifest serves as the "entry point" for booting the system.

Imagine a device is expecting a new root manifest, and an attacker inserts a different manifest in its stead. The replacement manifest is a valid dependency manifest of a valid new root manifest but not a root manifest itself. When executed as a root manifest this manifest leaves the device in a bad state (e.g. No app or incompatible with existing app/libraries). How to protect against this (without resorting to transport-specific security)? Maybe a dedicated component for the manifest, with a separate class ID? If so, this must be known by the implementer, so it should be made explicit in the manifest document. I think this can also go into the information model as a distinct threat (even if it is very related to 4.2.3.  THREAT.IMG.INCOMPATIBLE: Mismatched Firmware), since it needs specific action from the implementer.  Something like:

"Valid but partial update
An attacker sends a subset of a valid update, that when applied in isolation breaks compatibility with other software on the device, or otherwise leaves the Software in a bad or incomplete state."

Øyvind Rønningstad