Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 13 January 2020 09:46 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 907551200B3 for <teep@ietfa.amsl.com>; Mon, 13 Jan 2020 01:46:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.49
X-Spam-Level:
X-Spam-Status: No, score=-1.49 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, PDS_BTC_ID=0.499, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nMe7KLDQP3j for <teep@ietfa.amsl.com>; Mon, 13 Jan 2020 01:46:33 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE13C120096 for <teep@ietf.org>; Mon, 13 Jan 2020 01:46:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1578908791; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=eKpq/tA0vIUnsp7vzGzoqWg4x43SkXAtytqI8WPgVOQ=; b=lJoHr2tz6EswYnozx1PYENFIGgDMhroHb0U05zgN8siLsMVi4ImEfSZB2+v9RTFFtZCJcn w0J0OHwByyLAM2dK5PblVgSUL7RTlZvJbSajCl75c5dIjj0ybEum0e6Bss1Wtj1lAv1dUx 7fYDZmeH47gusnamCnJGP/dyh1pdURs=
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2172.outbound.protection.outlook.com [104.47.58.172]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-345-zEsO3vZ2MwiH7wiuG4LUYQ-1; Mon, 13 Jan 2020 04:46:28 -0500
Received: from DM5PR1601MB1259.namprd16.prod.outlook.com (10.172.87.13) by DM5PR1601MB1163.namprd16.prod.outlook.com (10.172.90.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.10; Mon, 13 Jan 2020 09:46:25 +0000
Received: from DM5PR1601MB1259.namprd16.prod.outlook.com ([fe80::949b:6afa:b9ba:f4e4]) by DM5PR1601MB1259.namprd16.prod.outlook.com ([fe80::949b:6afa:b9ba:f4e4%3]) with mapi id 15.20.2623.013; Mon, 13 Jan 2020 09:46:25 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Mingliang Pei <mingliang.pei@broadcom.com>
CC: Dave Thaler <dthaler@microsoft.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "teep@ietf.org" <teep@ietf.org>
Thread-Topic: [Teep] Working Group Last Call for draft-ietf-teep-architecture
Thread-Index: AdW5iepOELmpRRFXSAWsc0EhHQP19ALfbySAAAc0BIAABIf9gAAWBUMgACJiNvAAvsi6gAA1rNWA
Date: Mon, 13 Jan 2020 09:46:25 +0000
Message-ID: <DM5PR1601MB1259E8FF52F3287272903036EA350@DM5PR1601MB1259.namprd16.prod.outlook.com>
References: <CY4PR1601MB1254CD83B0DAADAA67A54CF3EA2E0@CY4PR1601MB1254.namprd16.prod.outlook.com> <BL0PR2101MB10278417515DEF077714D693A33F0@BL0PR2101MB1027.namprd21.prod.outlook.com> <CY4PR1601MB125400678B0DA9EE37683FBBEA3F0@CY4PR1601MB1254.namprd16.prod.outlook.com> <AM6PR08MB5285F0C0209A745F1FAABA23FA3F0@AM6PR08MB5285.eurprd08.prod.outlook.com> <BL0PR2101MB1027BB4B1FDB272B61D04468A33F0@BL0PR2101MB1027.namprd21.prod.outlook.com> <CY4PR1601MB125473BCC69227A45D62FAA7EA390@CY4PR1601MB1254.namprd16.prod.outlook.com> <CABDGos6GwjdAy89=5jY1Cb2xyB_nnphOX-bYFjYNxY2+DR3VkA@mail.gmail.com>
In-Reply-To: <CABDGos6GwjdAy89=5jY1Cb2xyB_nnphOX-bYFjYNxY2+DR3VkA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8b915df7-3842-4dbf-e115-08d7980d74a7
x-ms-traffictypediagnostic: DM5PR1601MB1163:
x-microsoft-antispam-prvs: <DM5PR1601MB11636EC79EEBA320C8A9701CEA350@DM5PR1601MB1163.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 028166BF91
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(346002)(366004)(376002)(136003)(199004)(32952001)(189003)(40434004)(86362001)(71200400001)(9686003)(7696005)(5660300002)(52536014)(30864003)(66574012)(2906002)(478600001)(45080400002)(55016002)(66946007)(186003)(26005)(53546011)(6506007)(76116006)(64756008)(66446008)(66556008)(66476007)(966005)(33656002)(54906003)(8936002)(81166006)(9326002)(81156014)(8676002)(4326008)(6916009)(316002)(85282002)(559001)(579004)(569006); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR1601MB1163; H:DM5PR1601MB1259.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y9eLSefTJHlbkOj5nBlxdN6FnC5nITpXSKFpK6xwXVZDFiZXxJ2I1GTDtSNUdwKqPLoV/UtwUqyD5ZTERDolAUALRwcsG/QU8igSQioLcVD1tdjtY6hZFI6Uzm8SY1v2u5frXu1UPJVcaIXtn7z845ACGWGIVnl4ODAGPMufUTO49HKP/+gvCxnI1XbXuvEUjoYmatzIpfyzZKNr0c4ooOuj9WonkTJBuMRN9sx8ZlJXTheBd0m691srAxwtB1Iu7FDM1go7TKmPzr7o8kEewaRVvfL7qDExbByS1rCOQZXKKj/VTSrHinnD6q0FaP8WJ+EQLeTeoxJcPsoSmakZK+W4td34OzV3Zw3bsg2WRiUE0EvmWo6eUHa7DG8SQAN4w/Pmnkvu24dI4sMXN2XKTUq9xAqVf3Mo6E+bA7+LjC2z93eqC7zQ7DB5I/pAp3yNdWU+eov9SDzHM/bGXfxdJlt5pCZUclUljt7YZcnBrAcDCdQdwHu9MBTCrwuUMeGxE7mFcgKidSo0C816xUqbMpkpoucSY79sDoZO7h0qdoMf2CdjhV8107tSSVZQhZ7y9wAnm0GE0irVelEnPXbiiGtePS74hgXdQYM4eAFS0NA=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b915df7-3842-4dbf-e115-08d7980d74a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2020 09:46:25.4281 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: C2OPS0CzoK8xvqX1jwvhO3IMsknj4F/lxnZ4ePm7uo0WhsBYXNTZRaNC39N0uPkXcOY3eEXLLudGzzr8jAaqWdpBU/Nc/sJUxKrpspEstYvNOeDGUWZp48zWD/FY10B0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1601MB1163
X-MC-Unique: zEsO3vZ2MwiH7wiuG4LUYQ-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_DM5PR1601MB1259E8FF52F3287272903036EA350DM5PR1601MB1259_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/MhL3Swv97jemrAj738nsjCG1YoA>
Subject: Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 09:46:37 -0000

Hi Ming,

Please see inline [TR2]

From: Mingliang Pei <mingliang.pei@broadcom.com>;
Sent: Sunday, January 12, 2020 12:12 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
Cc: Dave Thaler <dthaler@microsoft.com>;; Hannes Tschofenig <Hannes.Tschofenig@arm.com>;; teep@ietf.org
Subject: Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Hi Tiru, thank you very much for your comments and suggestions. Thanks Dave and Hannes for prompt response for us.

Please see my comments inlines, mostly on top of your last replies, and for several questions that need additional clarification.

Thanks,

Ming

On Wed, Jan 8, 2020 at 11:53 PM Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:
Hi Hannes and Dave,

Thanks for the responses. Please see inline [TR]

From: Dave Thaler <dthaler@microsoft.com<mailto:dthaler@microsoft.com>>
Sent: Wednesday, January 8, 2020 1:14 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>; Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; teep@ietf.org<mailto:teep@ietf.org>
Subject: RE: Working Group Last Call for draft-ietf-teep-architecture


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Below

From: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Sent: Tuesday, January 7, 2020 1:28 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; Dave Thaler <dthaler@microsoft.com<mailto:dthaler@microsoft.com>>; teep@ietf.org<mailto:teep@ietf.org>
Subject: RE: Working Group Last Call for draft-ietf-teep-architecture

Hi Tiru,

Thanks for the review. There is clearly room for improving the write-up.

A few remarks below.

From: TEEP <teep-bounces@ietf.org<mailto:teep-bounces@ietf.org>> On Behalf Of Konda, Tirumaleswar Reddy
Sent: Tuesday, January 7, 2020 7:39 AM
To: Dave Thaler <dthaler@microsoft.com<mailto:dthaler@microsoft.com>>; teep@ietf.org<mailto:teep@ietf.org>
Subject: Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture


[As an individual]

Hi Dave,



I have reviewed the draft and have comments and nits listed below:



a) It is not clear from the Introduction how TEE is different from a Closed OS like Google Chromebook or Windows 10S ?

     The benefit of Payment application running in Closed OS verses in TEE is not evident from the description. What part of the Payment application runs in the REE and TEE respectively ?

     If biometric identification information is securely stored in TEE for identification, how does the TEE identify the biometric identification information is not retrieved by an malicious agent in the REE.

     Section 3.3 (Internet of things), How does the architecture ensure the sensitive data is retrieved by a legitimate application in the REE and not by an malicious application ?



[Hannes] The TEE adds another layer of software isolation. To protect one TA to steal data from another TA the two TAs need to be isolated against each other. Depending on the TEE technology you are using this is accomplished via different means.



It is up to the application developer to decide how they best want to separate the REE and the TEE part, which in part depends a bit on what type of payment protocol they are using. In some other cases (probably more realistic) they may be using an already existing payment system, which is provided as a TA, and they are just using it. In general, it does not strike me as a great idea to have random smart phone app developers writing their own payment software.



[TR] Got it, Thanks.



The document (intentionally) makes no statement about whether a “close OS” as you put it, is or is not a TEE.   The question is really about whether such an OS prevents code injection attacks (e.g., due to buffer overruns or whatever else), prevents data modification attacks, etc..



[TR] Closed OS prevent the above attacks, a malicious app cannot read/modify the data of the other apps (e.g., ransomware attack is not possible, see https://support.google.com/chromebook/answer/3438631?hl=en<https://clicktime.symantec.com/3JPSEBNruBmUKctmhaBoGpT7Vc?u=https%3A%2F%2Fsupport.google.com%2Fchromebook%2Fanswer%2F3438631%3Fhl%3Den>;).



b) Why should the list of trust anchors on the device be managed by the Device's network carrier ?

     (you may want to define the term "network carrier").



This is issue #112 that I filed.   Personally I think the term “carrier” should be removed from the doc.



Dave has this issue tracked, and I added comment there. For one, "a network carrier" applies to mobile device only, and we have other TEE device types. On the other hand, the "network carrier" text does have some relevance here. For mobile devices, Trust Anchors are expected to be set by device manufacturers. What to put by a device manufacturer into devices, however, is often governed or instructed by the network carrier that a particular mobile device is produced for. That is the history of this context. I think we can make this as an example of set for such a case.

[TR2] Thanks for the clarification. You may want to add the mobile device example in the document.


[TR] Works for me.



[Hannes] The text says the following:



“
The list of Trust Anchors is normally modifiable
      by the Device's owner or Device Administrator.  However the Device
      manufacturer and network carrier may restrict some modifications,
      for example, by not allowing the manufacturer or carrier's Trust
      Anchor to be removed or disabled.

“



This describes current practice in the mobile phone industry and may not necessarily be applicable to other deployment scenarios. Hence, there is no required behavior here.





c) If the REE is compromised (for example by malware), it could terminate the TEEP broker in REE. How is this attack mitigated ?



[Hannes] If the REE is compromised then that’s typically not a good thing but the REE side still cannot access anything on the secure world, if implemented correctly. It could, however, indeed terminate the TEEP broker and avoid any calls to the secure world. This would be a DoS attack.. It would be possible to periodically schedule an interrupt that is processed by the secure world to let the secure world double-check the state of the normal world.



Right.  DoS attacks by the REE are, in general, not prevented (some TEEs may prevent them but most won’t).

The TEEP architecture doesn’t change this.



[TR] You may want to explain the above threat vector in the document.

[MP] Agreed. Will add some text on this.




d) What happens if the malicious agent acting as TEEP broker launches attacks (e.g. garbage data, replay attack, DoS of messages etc.,) on the TEEP agent, and how will the TEEP agent defend itself ?



[Hannes] The TEEP agent dispatches calls to the trusted applications. It is typically a shim layer that just checks parameters of the requests and then relays them to the TAs. Having a rock solid implementation of the TEEP agent is important and of course the TAs need to be implemented properly as well.



The GP TEE Client API is meant to provide a reference design for an API that allows data passing back and forth. So, implementing that API properly will be important. This is why there is this open source project to implement that API so that other developers can just use it.



The TEEP Agent implements a secure protocol (the TEEP protocol) between it and a TAM.
That protocol must be secure against attacks by untrusted intermediaries, including routers, HTTP proxies, and TEEP brokers.



[TR] Okay. I think it will be useful to discuss possible attacks by untrusted intermediaries on the TEEP agent and how the TEEP agent can protect itself (either in this document or in the TEEP protocol specification) ?



[MP] We may add this and the above one in "Security Consideration".




e) The below line is not clear to me:

Enumeration and access to the appropriate TEEP Broker is up to the Rich Execution Environment and the Untrusted Applications..



[Hannes] There may be multiple TEEP Brokers on the system and the interaction between untrusted apps and the TEEP broker is up to a policy implemented by the developer.



I agree the line is confusingly worded.



[TR] Please fix in the next update.

[MP] Agreed. Will fix. (Dave has had some on Multiple TEEP Broker).




h) A use case explaining the use of multiple TAM, multiple TEEP brokers on a device, and multiple TEE would be useful to the reader of the specification.



Isn’t that what Figure 2 already provides?  Can you elaborate on what you’re looking for?



[TR] I am looking for use cases, the text proposed by Hannes below looks like a good starting point.



[Hannes] Definitely a good idea to add text with use cases.

Here is my quick response:


-          Multiple TAMs: you could think about this as having multiple code repositories. Different SPs may prefer to use certain TAMs for their software distribution.
-          Multiple TEEP brokers: this can occur when you have a broker offered by the OS and one bundled with the untrusted app.
-          Multiple TEEs: This depends on the TEE technology. In the TrustZone case you may have a multi-processor system and each processor comes with TrustZone support.



i) When a TEEP Broker receives a request from an Untrusted Application

   to install a TA, a list of TAM URIs may be provided for that TA, and

   the request is passed to the TEEP Agent.  If the TEEP Agent decides

   that the TA needs to be installed, the TEEP Agent selects a single

   TAM URI that is consistent with the list of trusted TAMs provisioned

   on the device invokes the HTTP transport for TEEP to connect to the

   TAM URI and begins a TEEP protocol exchange.



Comment> I am not sure why the architecture draft is discussing the protocol aspects like HTTP for TEEP ?



[Hannes] I believe it does not need to mention HTTP but it could list it as an example.



Sure.



On the other hand, we have a WG document, and the architecture document can mention it as explaining how that doc fits into the architecture and relates to the other docs.



[TR] Fair point.



j) What if the malware in REE instructs the TEEP agent via TEEP broker to keep installing/uninstalling TA (over-whelm the TEEP agent and TEE or installing un-necessary TA to have no memory for the required TA) ?



An REE can always conduct DoS attacks against a TEEP agent as discussed in your question (c) above.

However the word “instructs” is incorrect since the TEEP Agent is authoritative, your question should say “requests” instead, since the TEEP agent is free to ignore/reject the request.  (This is why section 6.2.1 has “RequestTA”, as does the transport spec.)



[Hannes] Having a compromised REE environment that causes all sorts of apps to be installed is possible (assuming the TEE is authorizing the installation of those apps). An implementation of the secure world, most likely the TEE OS, will have to make sure that the device does not install TAs and overwrite the memory space they have been configured to use.



[TR] My suggestion is to discuss the above attack in the document.



[MP] Good point. We can add this threat discussion in Security Consideration.




i)                    What is the use case for "Personalization data" ?



There is an example in section 4.4:

  *   an example of

  *   personalization data might be a secret symmetric key used by the TA
  *   to communicate with the SP



[TR] Thanks, I missed the example.



[Hannes] Personalization data is meant to make each instance of the TA unique and potentially tie it to a specific user. Imagine a TA that implements biometric functionality: there has to be something in TA that relates this instance of the TA to a specific human, for example by storing a fingerprint alongside the TA as configuration data.



j) Why is Section 4.5 discussing Case 1 when it not in use ?



[Hannes] We just describe the possible approach and illustrates how things are done today. There is, however, a lot of development going on in the area of TEEs and I suspect that we will see all sorts of different use cases showing up in the future as the technology gets used in different environments.



Agree with Hannes.



[TR] Okay.



k) The below line is not clear to me (please elaborate):

Consequently, a TAM generally communicates with an Untrusted Application about how it gets messages that originate from a TEE inside a device.



[Hannes] The key point of that paragraph is that today TEEs do not communicate with the outside world but require the cooperation with something on the REE side.



That whole paragraph is confusingly worded, and I currently plan to rewrite it based on my marked up hard copy ☺



[TR] Okay.



l) What is the use case for one TA and multiple SP ?



[Hannes] I am not sure.. I let Ming, DaveW, or DaveT respond.



No idea, I’d propose deleting that section.   I was confused by it as well.



[MP] A TA software author can license the TA to multiple "buyers" who installs to their own user devices via their own TAM providers. The buyers are SPs in the original use case context. A TA developer doesn't necessarily distribute the TA. We have changed the meaning of SP to be interchangeable with an "App Developer" along with WG discussion, which treats the TA authorizer (SP) to devices as the owner of the TA.

A SP may provide its own "TA personalization data". Different SPs may provide different data. There needs a way to address the case when the same TA is installed to a device by multiple providers.  To this end, the proposal was to have different "identifiers" for the TA to multiple SPs so that they don't have to be overwritten. A Device Administrator may decide which TAM and TA it allows to install to devices.

This is certainly a complex case, and not expected to be common in practice.

[TR2] If it not a common practice today, suggest to remove it or if you think it will be useful in future, please add the above explanation of TA with different ‘identifiers’ from multiple SPs on the device.

Do you feel that we can disallow such a case where a TA author always directly works with a TAM service to distribute the TA? I feel that this licensed TA case may still have a place here.

[TR2] Yes, it deviates from the role of TAM to manage TAs on behalf of SP (as per the definition in Section 4.1).


[TR] Works for me.



m) what is the use case for keeping the TA binary secret from the TAM ?



[Hannes] it is more and more common today to protect binaries from inspection because this gives attackers a lot of information. If you don’t want to use it and only sign the binaries that’s fine too. But the option is there for you to protect the confidentiality of the binary.



I believe the use case is where the app developer considers the TA binary itself to be secret (e.g., intellectual property worth protecting), but wants to allow it to be distributed through a TAM that is run by another organization, one with more hosting capacity.   Thus the developer puts an encrypted binary in that TAM, and then runs their own lighter weight TAM that just hands out decryption keys which doesn’t need nearly as much much capacity/bandwidth.



[TR] Got it but it also allows the possibility of publishing malicious apps the TAM/SP may not be able to validate (For instance Apple has a strict review process of apps before publishing on the iOS app store). Encrypting the binaries from inspection by attacker is required but TAM/SP are not necessarily the attackers.

[MP] I think this risk can be some contract between the TAM and the TA provider to manage. When a TAM doesn't want to risk its reputation to distribute malware, it may demand to inspect binary that a TA provider gives. Agree with you that a TAM most probably have the original TA binary access, who are not treated as an attacker by the TA developer.

[TR2] You should discuss the above point in the document. Please see https://thenextweb.com/apps/2020/01/10/google-joker-malware-play-store/ to understand how malicious apps are making their way into Google play store. These apps start with clean versions, grow user base and later introduce malicious code through updates.

Note that the more common case of TA binary encryption common is for the TAM to encrypt the TA binary to prevent any man-in-the-middle from inspecting the binary. App Developer encrypted TA binary has a decryption key distribution challenge to a device. The separate TAM was devised for this purpose, but that was largely used for "personalization data" support case.




n) We allow a way for an Untrusted Application to check the trustworthiness of a TA.



Comment> You may want to re-phrase the above line, and remove "we".



[Hannes] I think we should delete this paragraph:

“

   We allow a way for an Untrusted Application to check the

   trustworthiness of a TA.  A TEEP Broker has a function to allow an

   application to query the information about a TA.

“



Agreed it should be deleted.  This was the second point of issue #116 that I filed.



[TR] Okay.



[MP] Agreed too. It was originally set there for local query without contacting a remote TAM to check a TA.


o) A notification that an incoming TEEP session is being requested by a TEEP Agent.



Comment> What you meant by "incoming TEEP session" ?



[Hannes] Dave should respond to this one because it relates to the HTTP transport, I believe.



The TEEP protocol requires the agent to connect to the TAM.   This is a notification about the initial connection.

See the transport spec for more details.



[TR] Thanks for the clarification.





p) How does the TEEP broker communicate with the TEEP agent ?



[Hannes] Via an API, for example the GP TEEP Client API.



Right, implementation-specific detail.



[TR] Okay.



q) Section 5.3 says the architecture uses PKI but Section 9.1 discusses self-signed certificates. Please fix.



[Hannes] We need to clarify the statement about the self-signed TA binaries.



Sure.  Figure 4 talks about multiple certificates.   5.3 is a general statement about multiple types.

9.1 is about one specific type of cert that may or may not have a PKI.

So they are not in contradiction but yes clarification would be good.



[TR] What is need for self-signed certificates when code signing certificates by CA are used today ?



r) In Figure 4, for the purpose of "Code signing" my understanding is the location of corresponding CA certs is both TEE and TAM.



[Hannes] I believe it would be useful to also store the CA cert that is used for code signing at the TAM because then it can verify the signed TAs.



I don’t believe there is any such requirement on a TAM.   It might be “useful” but is not required in my view.



[TR] why do you think verification in TAM is not required ?



[MP]  TA signature verification must be verified. Currently a TEE will check this code signing, and the CA certificate will be in TEE. See Figure 4 in the doc.

"Code Signing          1 per SP       TA binary          TEE"
Note the above "TA binary encryption" discussion. If a TA is given to a TAM in an encrypted form, such a signature check isn't feasible. But we can assume that TAM provider always vet TA binaries that it distributes for its service reputation protection.

Note that there is also the other TA delivery mode where a TA's binary is bundled inside an Untrusted Application as binary data. In this case, the binary isn't sent to TAM for distribution.

There is also the other case: many SPs / TA App Developers use the same extremely popular TAM service. Device manufacturers may want to limit to accept only a set of TA providers by using the code signing CA trust list. The architecture allows such support with the coding signing trust check in TEE.

[TR2] Got it, Thanks.

Cheers,
-Tiru


If we indeed believe the text in Section 9.1 is correct then that code signing CA cert also needs to be made available to the TEEP Broker and potentially even to the untrusted app.



I don’t believe the text in 9.1 is correct.


[MP] See above comment.

[TR] You may want to raise an issue in github to correct the text.



s)I have seen several malicious apps in App store in both Android and iOS, it is possible for an malicious App developer to publish both malicious untrusted applications

   and malicious trusted applications.  I don't think the TEEP architecture prevents this attack and it is the responsibility of TAM and App store to remove such apps

    (see https://android-developers.googleblog.com/2018/01/how-we-fought-bad-apps-and-malicious.html<https://clicktime.symantec.com/3WoTUQiqn8S8EL5UYFU7jhw7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fandroid-developers.googleblog.com%252F2018%252F01%252Fhow-we-fought-bad-apps-and-malicious.html%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908969481%26sdata%3DgNv0t73IFUqZmdnXjWmpb9bAyoYGfczM6oRe66Qlaog%253D%26reserved%3D0>;)



[Hannes] Yes, it would be the responsibility of the TAM, the device manufacturer and the SP / developer to ensure that they do not distribute malicious TAs.



It’s the responsibility of the TAM to not install malicious trusted apps, only authorized ones.



I don’t think it’s correct to say it’s the responsibility of the TAM to “remove” malicious trusted apps, since it shouldn’t have installed it in the first place.

The only case where “removal” might make sense is if the TAM previously authorized a trusted app, and later changed its policy that such TA is no longer authorized (e.g., because it was determined to be buggy or malicious or whatever else).



[TR] You may want to discuss the above case in the document.  If the trusted app is removed by TAM because it is malicious, some notification to the user would be helpful to remove the associated untrusted application in the REE.


[MP] Good suggestion. We may touch on this point in Security Consideration section too.

-Tiru





Ciao

Hannes



Cheers,

-Tiru


From: Dave Thaler <dthaler@microsoft.com<mailto:dthaler@microsoft.com>>
Sent: Tuesday, January 7, 2020 8:44 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; teep@ietf.org<mailto:teep@ietf.org>
Subject: RE: Working Group Last Call for draft-ietf-teep-architecture


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
I opened one pull request for editorial issues (https://github.com/ietf-teep/architecture/pull/109<https://clicktime.symantec.com/351u59QLtaPT81TMTAvunqB7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fpull%252F109%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908969481%26sdata%3DS36SLw%252F2T7yK210awwzbpWTE0LAN9r1WFtkE5qG%252Bfl0%253D%26reserved%3D0>;),
and filed seven other issues listed at https://github..com/ietf-teep/architecture/issues<https://clicktime.symantec.com/3TrjBmWdEfiS7oUVpmi3Wif7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908979441%26sdata%3D5aqxPRt0miAe5DsoenjkTn2qbJlVWTeciLtw9SBVn1E%253D%26reserved%3D0>

110) Service Provider discussion is confusing<https://clicktime.symantec.com/39cMDUsNGvSvaSRJP2CQiA57Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%252F110%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908979441%26sdata%3DKPNhnXV43eP8ZmdSqv3Vkbcj%252FPUlt5G3qYUgWPOBT%252F0%253D%26reserved%3D0>
111) Terminology section is not consistently ordered<https://clicktime.symantec.com/3VAiubTPBm8Nu7K6jeyK6yC7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%252F111%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908979441%26sdata%3DY%252FwhR2qzEc86xYboYueIlwI7jGUlIUnUp03qQ%252FclAMs%253D%26reserved%3D0>
112) Text about carriers is confusing<https://clicktime.symantec.com/35JbtAkeyAguJKDDbAswm587Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%252F112%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908989393%26sdata%3DR1xs7Zt7GAt%252Bj0cv8rE273CmG4Y%252FPSQ5bB1SXVVjUS0%253D%26reserved%3D0>
113) Section 6.2.3 contradicts section 4.2<https://clicktime.symantec.com/3EXPNKjMEAd6Hx9XSx5RnEP7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%252F113%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908989393%26sdata%3DfYt0nEoCNSxthFVKq%252FmxutxQgpThx8L1Vn3h%252BxLhKxE%253D%26reserved%3D0>
114) Figure 3 is too hard to understand<https://clicktime.symantec.com/3Pv5ZDeQraj9Kioz4xbxtPN7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%252F114%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908989393%26sdata%3Do%252F6RQy0IdDZQ1Z5wDYg5WVamJ31SS6JUzU8nCLB8ksk%253D%26reserved%3D0>
115) Reference to IANA number<https://clicktime.symantec.com/35d9oVECvbeBe1SvSPJ2Aix7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%252F115%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908999352%26sdata%3DxPDRcUGvaicejeAxxLOt5Cc%252BaFAEpe1X1XBnW8TOrY8%253D%26reserved%3D0>
116) Incorrect/obsolete statements about TEEP Broker<https://clicktime.symantec.com/39puLGz66Tz8pqU7Trrs6Lk7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fietf-teep%252Farchitecture%252Fissues%252F116%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861908999352%26sdata%3DO8lfJd0TAW1aEU50xAO7U09PPsCtcrCCPBFNHlPC2pA%253D%26reserved%3D0>

I have ideas about how to address all of them, but if others have comments, please speak up.

The possibly(?) contentious one might be that in #110 I am proposing to use the term
“App Developer” throughout, instead of using “Service Provider” in some places and “App Developer” in others
and then saying they’re synonymous like it does now.   (I’d be ok with mentioning that in some contexts an App Developer
might be known as a “Service Provider” if that is important to GlobalPlatform folks.)

Dave

From: TEEP <teep-bounces@ietf.org<mailto:teep-bounces@ietf.org>> On Behalf Of Konda, Tirumaleswar Reddy
Sent: Monday, December 23, 2019 4:17 AM
To: teep@ietf.org<mailto:teep@ietf.org>
Subject: [Teep] Working Group Last Call for draft-ietf-teep-architecture

Hi all,

This message starts a Work Group Last Call (WGLC) for TEEP architecture.  The version to be reviewed is https://tools.ietf.org/html/draft-ietf-teep-architecture-05<https://clicktime.symantec.com/3J8myVCnpenkHpNeAegdSaG7Vc?u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftools.ietf.org%252Fhtml%252Fdraft-ietf-teep-architecture-05%26data%3D02%257C01%257Cdthaler%2540microsoft.com%257Cbcf3b2c5f95b4c4c31fa08d79353ece5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637139861909009306%26sdata%3DjkSiFYpG8FFVJUPk7nzK4VCH2j3im3RyFYtQj7ieHCw%253D%26reserved%3D0>

The WGLC will last for 4 weeks and will end on 20 January 2020.

Please send your comments to the list before this date and your assessment of whether or not it is ready to proceed to publication.

Regards,
Tiru & Nancy
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
TEEP mailing list
TEEP@ietf.org<mailto:TEEP@ietf.org>
https://clicktime.symantec.com/3E4xJQVFydcmnjgspEbLjV47Vc?u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep