Re: [Suit] Valid but partial updates (possible threat)

Brendan Moran <Brendan.Moran@arm.com> Mon, 08 June 2020 15:24 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90BD3A0CB3 for <suit@ietfa.amsl.com>; Mon, 8 Jun 2020 08:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=11UOAaB8; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=11UOAaB8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WR9qwKRsDwPV for <suit@ietfa.amsl.com>; Mon, 8 Jun 2020 08:24:33 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2066.outbound.protection.outlook.com [40.107.20.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 992BF3A0CDB for <suit@ietf.org>; Mon, 8 Jun 2020 08:24:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zyIJOJme4bmXBtCKk+9c5iCC/P3CRwrRfaX7MEQueTQ=; b=11UOAaB8S602ru2RPdnQhK9wdWvGwrIRuzJsFCPAPfHLw1L+fMzNLCw/LhrK+BS4sTtcHyvsVRDB/kNKKuFLf0tVmkQ51oW+mYAJbTYRquYu5dSisb1/BmXgDMwfKo9uX3ZehpxMmd0Y2TPtFS/1x4o1f+A6uWCGh1g/YGqT4e8=
Received: from AM5PR0701CA0049.eurprd07.prod.outlook.com (2603:10a6:203:2::11) by AM0PR08MB3348.eurprd08.prod.outlook.com (2603:10a6:208:65::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.19; Mon, 8 Jun 2020 15:24:29 +0000
Received: from VE1EUR03FT012.eop-EUR03.prod.protection.outlook.com (2603:10a6:203:2:cafe::fa) by AM5PR0701CA0049.outlook.office365.com (2603:10a6:203:2::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.10 via Frontend Transport; Mon, 8 Jun 2020 15:24:29 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT012.mail.protection.outlook.com (10.152.18.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18 via Frontend Transport; Mon, 8 Jun 2020 15:24:29 +0000
Received: ("Tessian outbound 39cdd740f5cb:v59"); Mon, 08 Jun 2020 15:24:29 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: a8f9a66f0ebf7ca7
X-CR-MTA-TID: 64aa7808
Received: from 501d8973caf5.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 09C27DFC-EC64-4A34-8307-288B3A906A67.1; Mon, 08 Jun 2020 15:24:23 +0000
Received: from EUR03-AM5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 501d8973caf5.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 08 Jun 2020 15:24:23 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eJgGmg24iqzO3gkZ+YmF9seqTcWqnG00Pvq1M4JUb7FWyKyLxZiI0e6aRpMy4c9t5RoixfIgeKyzFXz0/YVUVLQc1gWSIvN6PxIFwVbxQt8VH0DM8eozHc7uQmPFO/QZ5iIO3QRHO6vOtaCiX6aC3qyDqfwGr7C/FqZUe/DXnJX0eWI75sN1c1finOvhoQNF6BDEtRQI24Uirx4WhZaL+b96zrC4ptKiEhgXXujiDVVJ+XHzzbDGAGiqAxWSVYIBF4UV88J4y8AjQoTDCalhm3HS3Szoyj8QoIWuuaEoDZAHZqs6rHS5lArl2FfBsxLWClM6qUv+gMy/ZImp3PScAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zyIJOJme4bmXBtCKk+9c5iCC/P3CRwrRfaX7MEQueTQ=; b=CVZYAT/7hJDE6q9jVP8edXwVIMAfzGWFoxglv2QXHiqIz2uBFciUun9q4GbpCwlvmUMMRjjUVCB7YtZleQ1ata3grqS0x+cmxxI2SRkt1Be5o+zrkMuu2o3T0sHrrGmootItkgfOSpXvKGO50kcU5GVqALlYpx0QTOVwSokZtCx6W8o19C9ox8jCVF5g0tBlZFH4bUNP8L+XiWLWeG/sRfWP2c8pOwK/EniN7ItM+tIqC6bRPDkEEO/Vifom2OVYkJAdDTALkS+wNOidKD1iCGZB4HiFt2YvLuW4QyKxgZEHMEvCJiJHluyzanvDqNHqVkY1kS0T5BQTt3jvGAIFUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zyIJOJme4bmXBtCKk+9c5iCC/P3CRwrRfaX7MEQueTQ=; b=11UOAaB8S602ru2RPdnQhK9wdWvGwrIRuzJsFCPAPfHLw1L+fMzNLCw/LhrK+BS4sTtcHyvsVRDB/kNKKuFLf0tVmkQ51oW+mYAJbTYRquYu5dSisb1/BmXgDMwfKo9uX3ZehpxMmd0Y2TPtFS/1x4o1f+A6uWCGh1g/YGqT4e8=
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com (2603:10a6:20b:cf::10) by AM6PR08MB3816.eurprd08.prod.outlook.com (2603:10a6:20b:8c::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Mon, 8 Jun 2020 15:24:22 +0000
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::208a:431d:b171:9615]) by AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::208a:431d:b171:9615%3]) with mapi id 15.20.3066.023; Mon, 8 Jun 2020 15:24:22 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: Dick Brooks <dick@reliableenergyanalytics.com>
CC: =?utf-8?B?w5h5dmluZCBSw7hubmluZ3N0YWQ=?= <Oyvind.Ronningstad@nordicsemi.no>, suit <suit@ietf.org>
Thread-Topic: [Suit] Valid but partial updates (possible threat)
Thread-Index: AdY9hz9HHRG3eHplSsijjyFulvlEYAAGAUWAAAJna4A=
Date: Mon, 8 Jun 2020 15:24:22 +0000
Message-ID: <EC72F0E5-5C9B-4F0C-B73B-D0C634A7722F@arm.com>
References: <AM0PR05MB4339615FC81DB1B90F72BBEB88850@AM0PR05MB4339.eurprd05.prod.outlook.com> <1e1cd01d63d9f$46a45ec0$d3ed1c40$@reliableenergyanalytics.com>
In-Reply-To: <1e1cd01d63d9f$46a45ec0$d3ed1c40$@reliableenergyanalytics.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
Authentication-Results-Original: reliableenergyanalytics.com; dkim=none (message not signed) header.d=none;reliableenergyanalytics.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.20.19.206]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 0eb6749b-4e9e-4b80-2330-08d80bc0099e
x-ms-traffictypediagnostic: AM6PR08MB3816:|AM0PR08MB3348:
X-Microsoft-Antispam-PRVS: <AM0PR08MB334848A7C9AAD91287B5D639EA850@AM0PR08MB3348.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:6108;OLM:8273;
x-forefront-prvs: 042857DBB5
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: oxQTZ7wvOxww56hpjQL1YCoz/JcrXOzLSoSTL7CzRNlJJgpu6t0kqRDVPUfGk4I2KBZxD18ZQiL24NLa8YiCMvYU4AgeXFpj1UF9DhA9HGJqU+MwiIjLkoqB3y5YKnYDIvTnF1rbiao+yER616w/dvkChcMt+W2bvk8gbhzZGeI7pi4oEFJSzQIfHqzcmD5J+SJCAJohCztqxHjUd0PkY6DqvK4sOb5lz8lUJpVd+jyDHIk4fwWDcwbnUblEquf+QD3mU8MnRFLOivOXe0wj6CK4yZiekpLlm2bCIM4Cdoz7SC/F7D0f/RReC/Ca5E2jKoRhPpq52BmaNqrmutMeQjMSn3wVRqNb1PIFaZG3q7fw6epP9O3t/a4lbILtLMDOmA21AHEvntkacglGVSworg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4738.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39860400002)(136003)(396003)(346002)(376002)(6916009)(33656002)(2906002)(6486002)(6512007)(86362001)(76116006)(66446008)(91956017)(66556008)(36756003)(64756008)(66476007)(66946007)(4326008)(2616005)(478600001)(186003)(166002)(15650500001)(8676002)(53546011)(316002)(6506007)(26005)(54906003)(66574014)(5660300002)(966005)(83380400001)(71200400001)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: mTmPtXfh6ax+gkN+8SAFhD8jhtt2AleV1TVoX3T8jQzY3AhOOQDaBwldfAq1N50yWeQ0hL3/DF5R6cEPA0K5RjmleWtNjqEqYRhvuA0oXO/MG5Y9Ud7b+t+SUntMT+d/b5h8VxJ8cMzDKWsvVCn2r8m5oImIsNBL6mF3ho/UiC3+hOG9cr8RejJZW6D7RvI1iojXobgo/OJCaxPZDRIOxu6Ao7enBzU4kZKYnQ85rkZ1hLoQNU8QbYw/X1pQSCWI9Da9dRs4JVtMnP7+CzAdSwT8Eg9hqXPKNbfLqgu+z9A0x6oQPOmfNHJFaLkVorBSYpeealRDUUx0VfGpCRypWVIR68ejMS8mTSieUoD+f4tnGideEXQoT0r2fj/oA70yfFlIbX0uaIPmuPDHeCLvOw+N3gqRB/scEFgGpxFVW7qKudBT3izg+LJ3iZQDkzN7WdLtXPV0nyaiaY+KcyGBe0yZY8n3TbX3bP/71rg1a4g=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_EC72F0E55C9B4F0CB73BD0C634A7722Farmcom_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3816
Original-Authentication-Results: reliableenergyanalytics.com; dkim=none (message not signed) header.d=none;reliableenergyanalytics.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT012.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(376002)(136003)(39860400002)(346002)(396003)(46966005)(86362001)(2906002)(4326008)(5660300002)(8936002)(70586007)(6506007)(53546011)(82740400003)(8676002)(70206006)(33656002)(36756003)(47076004)(45080400002)(81166007)(6862004)(26005)(186003)(82310400002)(6512007)(966005)(66574014)(6486002)(15650500001)(478600001)(54906003)(316002)(36906005)(336012)(33964004)(166002)(83380400001)(2616005)(356005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: f521a6a2-9b5e-4ab2-8f69-08d80bc0052f
X-Forefront-PRVS: 042857DBB5
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: LI44XjGyLc/4g0KDlXj1I3mSKkgKWNtUYuFJGqfSTvRaYljjMxEAHZPBKbNYXccy2y7EHC4pTKMvzilVgkfOZ2FzNf0nARvScnuBr5aiqwIfy3nTgz6vUYGRXHo0g1KCLPb5tW7KQkITVfe7zEnVFBaBHVNVokm0xM0s8azjiNiNYp97N4FBy/VP0qkFxENu0uQFLVEUsk/CALDGu8LxuX6FzE+POTA74dqOmCLZukoZoWuKcn4+/H1I6TimLFdIyypxUUnDmAAjyN4lJCCVfYVWQ2TrZKWbMQC6T7kLKQHRX5rPrSJVx7prHn6XZHfSWe1mMlVXYF3DVBOYJ429shzi2RmqY1v+WTmN6woi79K16sdtCkEeCgmxLn6ulumSoO/fH9qKxhEEs7YZgTmGG/VDf1Ookj0jd60xpuWCYEdEDsthVeOzA8AKNlJu972KIDIO7dEYtRYzxBZVu63k2vXV6TJp1TOgmPIYnCNTqb0=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jun 2020 15:24:29.4540 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0eb6749b-4e9e-4b80-2330-08d80bc0099e
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3348
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/yGgZJFEfy3F9Spkij0qAXvSr2g4>
Subject: Re: [Suit] Valid but partial updates (possible threat)
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 15:24:43 -0000

There are several possible resolutions to this concern. I think that any realistic deployment should address more than one of them. The two most important mitigation are:

1. A key that is used to verify root manifests should be marked as such in the device. Verification of a root manifest should fail if it is signed by a key that is not marked for verifying root manifests.

2. Any valid tree of manifests must contain a specification for every element of an interdependent set of components. Independent groups of components may be specified with separate trees. This can be checked at dependency-resolution and system-validation time.

I’ve had some text about this in the past, but I don’t believe it is in the manifest specification. I think this detail should be in Section 6.2: Required Checks.

Please let me know what you think?

Best Regards,
Brendan

On 8 Jun 2020, at 15:15, Dick Brooks <dick@reliableenergyanalytics.com<mailto:dick@reliableenergyanalytics.com>> wrote:

This is precisely the type of attack I'm looking to detect before any
attempt at installation of the software. Good use case, Øyvind.

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Suit <suit-bounces@ietf.org> On Behalf Of Rønningstad, Øyvind
Sent: Monday, June 08, 2020 7:37 AM
To: suit@ietf.org
Subject: [Suit] Valid but partial updates (possible threat)

Hi
I have a concern about root manifests. By root manifest I mean the manifest
that describes the whole coordinated update (all payloads, dependencies, and
conditions). For secure boot, the root manifest serves as the "entry point"
for booting the system.

Imagine a device is expecting a new root manifest, and an attacker inserts a
different manifest in its stead. The replacement manifest is a valid
dependency manifest of a valid new root manifest but not a root manifest
itself.. When executed as a root manifest this manifest leaves the device in
a bad state (e.g. No app or incompatible with existing app/libraries). How
to protect against this (without resorting to transport-specific security)?
Maybe a dedicated component for the manifest, with a separate class ID? If
so, this must be known by the implementer, so it should be made explicit in
the manifest document. I think this can also go into the information model
as a distinct threat (even if it is very related to 4.2.3.
THREAT.IMG.INCOMPATIBLE: Mismatched Firmware), since it needs specific
action from the implementer.  Something like:

"Valid but partial update
An attacker sends a subset of a valid update, that when applied in isolation
breaks compatibility with other software on the device, or otherwise leaves
the Software in a bad or incomplete state."

Øyvind Rønningstad

_______________________________________________
Suit mailing list
Suit@ietf.org
https://www.ietf.org/mailman/listinfo/suit

_______________________________________________
Suit mailing list
Suit@ietf.org
https://www.ietf.org/mailman/listinfo/suit

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.