IETF Logo Mail Archive

Re: [Suit] self-describing format vs fixed/binary manifest structure

Martin Pagel <Martin.Pagel@microsoft.com> Thu, 13 December 2018 23:22 UTC

Return-Path: <Martin.Pagel@microsoft.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252C9130EA9 for <suit@ietfa.amsl.com>; Thu, 13 Dec 2018 15:22:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.461
X-Spam-Level:
X-Spam-Status: No, score=-3.461 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97lch1qWU3po for <suit@ietfa.amsl.com>; Thu, 13 Dec 2018 15:22:10 -0800 (PST)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680117.outbound.protection.outlook.com [40.107.68.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 801B7130EB4 for <suit@ietf.org>; Thu, 13 Dec 2018 15:22:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xuE43F87mKtEWKltkxP3byYvqNeTWmjPNEoIHI7ko/Q=; b=Z1vFv4IuROUebGfCumbNQhRG5mtogqOdYsozrhl8+5GL5XHF8to2UEnJtzQ4NXkoW4DcUjnNOk4GXzzULeRDJLOvLKOFNQoP6q6dw8XKs3kRxPJ3xfCWxIFdyldtKyKAmL+FMCJ6n3dhAKxKWcfsZmnF+7e+FWYNgg8Fl7hCz/s=
Received: from DM5PR21MB0698.namprd21.prod.outlook.com (10.175.112.13) by DM5PR21MB0188.namprd21.prod.outlook.com (10.173.173.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.4; Thu, 13 Dec 2018 23:22:08 +0000
Received: from DM5PR21MB0698.namprd21.prod.outlook.com ([fe80::3807:fbfd:938f:b1c5]) by DM5PR21MB0698.namprd21.prod.outlook.com ([fe80::3807:fbfd:938f:b1c5%10]) with mapi id 15.20.1446.010; Thu, 13 Dec 2018 23:22:08 +0000
From: Martin Pagel <Martin.Pagel@microsoft.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "suit@ietf.org" <suit@ietf.org>, "dev-mcuboot@lists.runtime.co" <dev-mcuboot@lists.runtime.co>
Thread-Topic: [Suit] self-describing format vs fixed/binary manifest structure
Thread-Index: AdSRuIx24y9fgBmKQIigg64Z3c8zMwAo7OaAADVwiOA=
Date: Thu, 13 Dec 2018 23:22:07 +0000
Message-ID: <DM5PR21MB06986BEC8A8DA5AF9137404A9DA00@DM5PR21MB0698.namprd21.prod.outlook.com>
References: <DM5PR21MB069822F40B3F5CC8DBD5F6C69DA70@DM5PR21MB0698.namprd21.prod.outlook.com> <9919.1544647801@localhost>
In-Reply-To: <9919.1544647801@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mapagel@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-12-13T23:22:06.4304633Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:9:74ed:13c3:2f56:7728]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR21MB0188; 6:UwMcthGpQKVgMG1Ktp/k5gq2ZXdpbONNIv6Y/8R9QDhANjho2e7nay6+kDF5Mz/jRO7Dn/hH4FjtyupQfAKPy8tyYBwyH4yMG9vt/D097dpv8AJcbQWqLpjgid8kjZ2w6AikjxxtCD1ON5hVtCi7FvEa/+BeRmxVvc3ASXzd1yzEXPgjN63hq3qbpXNUWaUJVWC6K7QKfGdHBX2KsEeqokI1ZqjBHHGKdbb4gmeWNiJcDCFVaPoWW1x4KjefFqWqXc5s9iOsyYTq2lvbSzImLYo7mDlBW0sQ8NSc4xdhsxCHlZWBIbdJnrUIFVmCNTda0agogWXfskbjNhvcfmVCSQmLB8eFkalar5lUHu1P8tQm9bccvLcA6wR/s/av8dlpoT8KhRNGY66jcEvFmJstq3PiepQHIISlKcZ8qwWCNN3p5VSdLsD/h4J0xmd2BzSW5uQ/OesLc2fWqYOk/UTbFg==; 5:3BcJo1AGrB1KLoDqTlZEdjx1m3LPuDbbRa9hXpKHFAQ2GOam0eE9jibNJ1V3ihUU76gIki13LISodpg3ksMAMB16ired3dh7pMPUK37M0yubyb3WWcSYHV+9gnUZQIw3lpM1jtWKTDNwUYiQRqKPG/3sy+z09yPi/mfGAGgg09A=; 7:HshxVjxBn5RIhqdkaR38dgINOnoyaa6ZbmeGsa3PlMaxUALHrM+ir4+O1ZQQYNWscd2loybVCQhDXHTCOBNc/f2zQilvYpjgQE+VYM9IHHBjs2ZeHlrCsLM/D0coSrm4Ui+UqgYpA5vA04DK4zI+tw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 6d86ea1a-ff0f-4c46-90f1-08d66151cd28
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DM5PR21MB0188;
x-ms-traffictypediagnostic: DM5PR21MB0188:
x-ms-exchange-purlcount: -3
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Martin.Pagel@microsoft.com;
x-microsoft-antispam-prvs: <DM5PR21MB0188B89385AF3A81B4AF0B449DA00@DM5PR21MB0188.namprd21.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(8220035)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231475)(944501520)(2018427008)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:DM5PR21MB0188; BCL:0; PCL:0; RULEID:; SRVR:DM5PR21MB0188;
x-forefront-prvs: 088552DE73
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(346002)(376002)(366004)(396003)(199004)(189003)(13464003)(53936002)(55016002)(9686003)(99286004)(6116002)(6506007)(8990500004)(102836004)(76176011)(2906002)(6246003)(53546011)(72206003)(7696005)(14454004)(478600001)(186003)(10090500001)(33656002)(25786009)(5660300001)(486006)(316002)(105586002)(110136005)(106356001)(446003)(2501003)(10290500003)(22452003)(97736004)(81156014)(74316002)(256004)(81166006)(71200400001)(86362001)(14444005)(229853002)(6436002)(476003)(8676002)(7736002)(68736007)(305945005)(71190400001)(46003)(86612001)(11346002)(8936002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR21MB0188; H:DM5PR21MB0698.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ns8fyGJB8cPHRKXh5uJi96yjHCBJtPrCUy3j/wssNno6DtgnzRSA9OHsKAQtDBgk4glgvlkrG1sUGZbp1XPIOEPGHMekWB6VJlRDX/eEYdHLcU5mpuXze+gjllj32mvg6BDHWZjQFLRpRfRcgqM7LrLFM048kITzIe4jT4zHglFXsL3Mm0jzGSxSBTTPFabFXPyiIyU6nvCwbU3i8xhtzTmuC//uBdMGCd8pNGa7AV/VN6kIVvB/6ASNaeZpXN3RjpQuk7v/SosBq9Nq//MmL19OiotTZB7Udw6t9/ZZcUyo6va7ONRFaMIPgy28IJIS
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6d86ea1a-ff0f-4c46-90f1-08d66151cd28
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2018 23:22:07.9535 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR21MB0188
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/YKUDFXDIU0l7lJx95aMg_6I-NVY>
Subject: Re: [Suit] self-describing format vs fixed/binary manifest structure
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 23:22:14 -0000

Thanks, Michael, 
for sharing your experience. 

In general I actually agree with your assessment. If you have many options, a well defined format like CBOR is much better than custom C structures as you can use a standard, already vetted parsing library. The standard parser library turns the CBOR data into a data structure, in IoT usually a pretty complex C structure. As the generic parser does not understand the semantics of the fields (only the syntax as defined by the CDDL), the developer still has to write code to verify a complex data structure and enforce semantics and you still have to test/verify such code. If you have lots of options, then again, that's a good approach. But, as others already pointed out, a manifest only uses a fraction of the power of CBOR and simple MCUs can only handle a fraction of the options proposed in the current Moran manifest draft. Each MCU still needs to make sure that any CBOR generated data structure is either properly processed or rejected, that is complex code which cannot be subjected to automated generic testing like the parser library can and therefore can lead to vulnerabilities. 

If you start with a binary manifest however, you skip the parsing step, you just load the data structure into memory. The data structure is much simpler as it only handles the few fields and options the MCU can actually handle. Yes, you need to do some more boundary checks on those few fields, something the CBOR parser might have done for you in the other case, but boundary checks on a simple data structure are pretty easy to implement. Far more important however is the fact that the code to enforce semantics is much smaller as it only has to deal with a few fields as your degree of freedom is far smaller.

If you want to use the manifest for secure boot via boot ROM, you want to make sure you get 100% code coverage during testing as you can't update the ROM. A generic parser often won't fit in the ROM and the number of options you would need to verify during testing becomes prohibitive. 

Therefore I believe that for constrained MCUs, in particular secure boot scenarios, a binary format has clear advantages. For larger, more flexible MCUs a CBOR based manifest may offer advantages.

Martin

-----Original Message-----
From: Suit <suit-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Wednesday, December 12, 2018 12:50 PM
To: suit@ietf.org; dev-mcuboot@lists.runtime.co
Subject: Re: [Suit] self-describing format vs fixed/binary manifest structure


Martin Pagel <Martin.Pagel=40microsoft.com@dmarc.ietf.org> wrote:
> I had further discussions with some security experts about the two 
> different manifest drafts, I thought it would be useful to summarize 
> it for the work group:

I'm a security expert of 30+ years.

I've written both ASN.1 and CBOR parsers (more ASN.1 than CBOR thanks to widely available CBOR libraries), and dozens and dozens of custom format parsers for a large variety of 8-bit (back when that was "current"), 16-bit, and 32/64-bit architectures.  I've written them in C, assembler, perl (yes. bash even hardware via /dev/mem and unpack), Tcl, BASIC (PEEK/POKE), and this includes things like bespoke mailboxes and ring structures for things like ethernet and NPU devices. (Not just on the "OS"/Linux/BSD side, but on the "microcontroller" side too).

ASN.1 and CBOR are in completely opposite sides of the design space: anyone who is older than 50 desperately wishes we had CBOR back in 1984 (when ASN.1 was hatched my a committee).  The broken process that led to the design is a probably a major reason for why the IETF does things the way we do things.

I'm also one of the maintainers of tcpdump, and I've extensive experience with network attacks on custom C-written parsers for protocols.
(It's not pretty: even extensively reviewed code winds up with issues.
The google bounty program has had an interesting affect)

> A self-describing format such as CBOR obviously has the advantage that 
> it is more extensible.

No, this is not really the advantage of CBOR.
Many structures can be defined that are easily extensible.
The IETF has dozens of TLV structures (sadly different).

The advantage is that CBOR libraries can easily be tested against a wide variety of inputs on a machine that enforces NULL deferences, structure overflow and underflows, and where the develop/compile/test cycle can be measured in dozens of seconds rather than dozens of minutes.
These libraries are widely used and widely tested.

Pull parsers can be written that uses almost no storage at all (at the cost of cycles).  Our manifest should be a simple CBOR map, and if we put a constraint on how the keys are ordered then the pull parser could be implemented with almost no cycles at the cost of one pointer of storage.
Such a piece of code could be in a library and be widely used/tested, along side full CBOR parsers that map to Python/Ruby/Perl.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email