Re: [Suit] suit-firmware-encryption-00

Hannes, see comments inline DB>>

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com> 
Sent: Tuesday, June 1, 2021 12:03 PM
To: dick@reliableenergyanalytics.com; 'Russ Housley' <housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

Hi Dick,

Currently the manifest specification does not contain attestation
information. However, as with the MUD information the manifest can be
extended to convey such a report.

DB>> the extension solution seems like a reasonable approach to address the
malware attestation.

On the second issue, that's a new topic for me. As you noted, the Vendor ID
condition cannot be used for that purpose because it has been designed for a
different task.

Thinking out loud here: Would the use of X.509 certificates when signing the
manifest (with the Extended Key Usage extension) do the job? If not, would
the delegation mechanism defined for the SUIT manifest help? (The delegation
mechanism is described in
https://datatracker.ietf.org/doc/html/draft-ietf-suit-information-model-12#s
ection-3.25 and in
https://datatracker.ietf.org/doc/html/draft-ietf-suit-manifest-13#section-5.
2

DB>> Currently software consumers do not have a standard method to verify
that a signing party has been authorized to sign on behalf of a software
source supplier, when performing digital signature verification on a
software package. Many people "assume" that the signing party is the
software source supplier.  A digital signature alone is insufficient at
identifying the software source supplier because anyone with a code signing
key can sign any software package, as demonstrated in this article:
https://energycentral.com/c/ec/who-ya-gonna-trust 
DB>> I plan to raise the need for a formal method to verify authorized code
signing parties on behalf a software source supplier during digital
signature validation as a topic during NIST's EO workshop in 6/2-3. 

(It is not unlikely that the delegation mechanism would benefit from more
details...)

Ciao
Hannes

-----Original Message-----
From: Dick Brooks <dick@reliableenergyanalytics.com>
Sent: Tuesday, June 1, 2021 3:20 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; 'Russ Housley'
<housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

Hannes,

Will the SUIT manifest contain an attestation of a clean malware scan that
can be verifiably validated for the encrypted software in hand? That would
help, if a malware scan is not an option.

The other issue that needs to be addressed is the ability for a software
consumer to verify that the signing party of a software object has been
given authorization to sign code on behalf of a software source supplier
(VENDOR ID) in the manifest, using a standard method - something similar to
DNS CAA records, but for digital signatures, e.g. maybe DNS DSA records.

Ref: "Vendor ID is not intended to be a human-readable element.  It is
intended for binary match/mismatch comparison only."

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Sent: Tuesday, June 1, 2021 9:05 AM
To: dick@reliableenergyanalytics.com; 'Russ Housley' <housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

It is a challenge.

The SUIT manifest provides the capabilities to give authorized parties extra
information (via the manifest meta-data and software description*) while
providing less info to adversaries.

(*): I am assuming that the info offered via MUD, COSWID, and the textual
description is of any help to you. If it is not, then you need to let us
know what other pieces of information will have to be included in the
manifest to become valuable to make the risk assessment.

Ciao
Hannes

-----Original Message-----
From: Dick Brooks <dick@reliableenergyanalytics.com>
Sent: Tuesday, June 1, 2021 1:32 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; 'Russ Housley'
<housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

Hannes,

I definitely see your point, it seems the real problem to solve is:
- How do we (1) prevent the bad guys from discovering SW details (source
code) from binaries while simultaneously (2) providing end use customers the
ability to conduct malware scans, and other risk management functions?

If we encrypt a binary distribution we achieve 1 but not 2 If we do not
encrypt we achieve 2, but not 1

Are we really looking at a mutually exclusive choice?

Both of these objectives are trying to achieve the same thing: Keep the bad
guys from causing harm.

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Sent: Tuesday, June 1, 2021 6:40 AM
To: dick@reliableenergyanalytics.com; 'Russ Housley' <housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

Dick, I understand your line of argument.

At the same time I want to create awareness for the attacker point of view.
They need to get access to plaintext firmware of an embedded device (unless
the attacker already knows what the source was used). This is why there are
advanced disassemblers available (such as IDA Pro, Binary Ninja, and Ghidra
-- to name a few).

As a way forward I am proposing to use the additional data carried in the
manifest for doing the SCRM risk assessment step. I believe that this should
work.

Ciao
Hannes

-----Original Message-----
From: Dick Brooks <dick@reliableenergyanalytics.com>
Sent: Monday, May 31, 2021 10:00 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; 'Russ Housley'
<housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

Thanks, Hannes. I just submitted a concern regarding the problem encryption
creates for malware scanning, which is one of the SCRM risk assessment
steps, performed before installation

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Sent: Monday, May 31, 2021 3:57 PM
To: dick@reliableenergyanalytics.com; 'Russ Housley' <housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

Hi Dick,

with the SUIT manifest format I hope we can make information available to
trusted third parties (MUD, COSWID and alike) and at the same time use
encrypted binaries. Having access to the plaintext binary is essential for
adversaries to mount attacks. (Happy to give a tutorial about how this
works.)

Like-wise differential updates may make it difficult for SCRM vendors to
make their analysis but the information in the manifest can help them.

Severable fields allows to remove information from the manifest before it is
sent to the device. This reduces overhead and prevents untrusted parties
from gathering information from the manifest.

Ciao
Hannes

-----Original Message-----
From: Dick Brooks <dick@reliableenergyanalytics.com>
Sent: Monday, May 31, 2021 7:07 PM
To: 'Russ Housley' <housley@vigilsec.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>; Hannes Tschofenig
<Hannes.Tschofenig@arm.com>; suit@ietf.org
Subject: RE: [Suit] suit-firmware-encryption-00

I agree, Russ.

Parties subject to the 5/12 Executive Order
(https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/ex
ecutive-order-on-improving-the-nations-cybersecurity/) will likely want to
perform a proactive SCRM risk assessment prior to installation, if my
interpretation of the EO is accurate.

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Russ Housley <housley@vigilsec.com>
Sent: Monday, May 31, 2021 12:56 PM
To: Dick Brooks <dick@reliableenergyanalytics.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Hannes Tschofenig
<Hannes.Tschofenig@arm.com>; suit@ietf.org
Subject: Re: [Suit] suit-firmware-encryption-00

Dick:

Yes, and there are other use cases that require encryption.

Russ

> On May 31, 2021, at 12:53 PM, Dick Brooks
<dick@reliableenergyanalytics.com> wrote:
>
> " If a trustworthy party in the middle of the distribution path is 
> able to detect a problem with cleartext (but signed) firmware, they 
> can report a vulnerability and refuse to pass the update along."
>
> This is precisely the function SCRM vendors are performing today.
> Encrypting a binary object would be an impediment to software supply 
> chain risk assessment functions in place today.
>
> Thanks,
>
> Dick Brooks
>
> Never trust software, always verify and report! T 
> http://www.reliableenergyanalytics.com
> Email: dick@reliableenergyanalytics.com
> Tel: +1 978-696-1788
>
> -----Original Message-----
> From: Suit <suit-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: Monday, May 31, 2021 12:49 PM
> To: Michael Richardson <mcr+ietf@sandelman.ca>
> Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; suit@ietf.org
> Subject: Re: [Suit] suit-firmware-encryption-00
>
> Michael:
>
>>>> I agree that there are also challenges with certification schemes 
>>>> that prevent developers from seeing the source code (or from 
>>>> publishing the source code). That's yet another issue.
>>
>>> SUIT is using signature for the authentication and integrity of the 
>>> firmware.  If the signature remains in place, a party in the middle 
>>> of the distribution cannot insert any malware.
>>
>> The encryption of the firmware keeps third parties from auditing the 
>> software updates to determine if malware has been inserted at the
> "factory"
>> Both white and black hats are currently using binary diff systems to 
>> look at patches.  Black hats use this to develop exploits in the gap 
>> between 9am EST and 9am PST!
>> I am suggesting that this is a "Security Consideration"
>
> Yes, this is a reasonable thing to add to the Security Considerations.
>
> If a trustworthy party in the middle of the distribution path is able 
> to detect a problem with cleartext (but signed) firmware, they can 
> report a vulnerability and refuse to pass the update along.
>
> Russ
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit
>

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you.