From e97d6ad0672032cd1c22ff5c4f0cd9b46909b654 Mon Sep 17 00:00:00 2001 From: Erick Tryzelaar Date: Wed, 18 May 2022 21:26:48 -0700 Subject: [PATCH 1/3] Check timestamp/snapshot contains snapshot/targets version The [timestamp.json] states that the timestamp `meta` section MUST only contain a description of the snapshot.json file. However, [updating the timestamp role] does not describe when to perform this verification. Similarly, the [snapshot.json] states that the snapshot `meta` section MUST contain a description of the targets.json file, which is also not described in [updating the snapshot role]. This patch explicitly states that these checks should be performed, and that the metadata should be rejected if it is missing these entries. [timestamp.json]: https://theupdateframework.github.io/specification/v1.0.30/#file-formats-timestamp [updating the timestamp role]: https://theupdateframework.github.io/specification/v1.0.30/#update-timestamp [snapshot.json]: https://theupdateframework.github.io/specification/v1.0.30/#file-formats-snapshot [updating the snapshot role]: https://theupdateframework.github.io/specification/v1.0.30/#update-snapshot --- tuf-spec.md | 54 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/tuf-spec.md b/tuf-spec.md index 9616036..6588131 100644 --- a/tuf-spec.md +++ b/tuf-spec.md @@ -1368,20 +1368,24 @@ it in the next step. 3. **Check for a rollback attack.** - 1. The version number of the trusted timestamp metadata file, if - any, MUST be less than the version number of the new timestamp - metadata file. If the new timestamp metadata version is less than the trusted - timestamp metadata version, discard it, abort the update cycle, and - report the potential rollback attack. In case they are equal, discard the new - timestamp metadata and abort the update cycle. This is normal and it - shouldn't raise any error. The reason for aborting the update process is that - there shouldn't be any changes in the content of this, or any other metadata - files too, considering it has the same version as the already trusted one. - - 2. The version number of the snapshot metadata file in the - trusted timestamp metadata file, if any, MUST be less than or equal to its - version number in the new timestamp metadata file. If not, discard the new - timestamp metadata file, abort the update cycle, and report the failure. + 1. The version number of the trusted timestamp metadata file, if any, MUST be + less than the version number of the new timestamp metadata file. If the + new timestamp metadata version is less than the trusted timestamp metadata + version, discard it, abort the update cycle, and report the potential + rollback attack. In case they are equal, discard the new timestamp + metadata and abort the update cycle. This is normal and it shouldn't raise + any error. The reason for aborting the update process is that there + shouldn't be any changes in the content of this, or any other metadata + files too, considering it has the same version as the already trusted one. + + 2. The new timestamp metadata file MUST only contain the description of the + snapshot metadata file. If not, discard the new snapshot metadata file, + abort the cycle, and report the failure. + + 3. The version number of the snapshot metadata file in the trusted timestamp + metadata file, if any, MUST be less than or equal to its version number in + the new timestamp metadata file. If not, discard the new timestamp + metadata file, abort the update cycle, and report the failure. 4. **Check for a freeze attack.** The expiration timestamp in the new timestamp metadata file MUST be higher than the fixed update start time. @@ -1425,14 +1429,20 @@ it in the next step. in the trusted timestamp metadata. If the versions do not match, discard the new snapshot metadata, abort the update cycle, and report the failure. -5. **Check for a rollback attack**. The version number of the targets - metadata file, and all delegated targets metadata files, if any, in the - trusted snapshot metadata file, if any, MUST be less than or equal to its - version number in the new snapshot metadata file. Furthermore, any targets - metadata filename that was listed in the trusted snapshot metadata file, if - any, MUST continue to be listed in the new snapshot metadata file. If any of - these conditions are not met, discard the new snapshot metadata file, abort - the update cycle, and report the failure. +5. **Check for a rollback attack**. + + 1. The new snapshot metadata file MUST contain the description of the targets + metadata file. If not, discard the new snapshot metadata file, abort the + cycle, and report the failure. + + 2. The version number of the targets metadata file, and all delegated targets + metadata files, if any, in the trusted snapshot metadata file, if any, + MUST be less than or equal to its version number in the new snapshot + metadata file. Furthermore, any targets metadata filename that was listed + in the trusted snapshot metadata file, if any, MUST continue to be listed + in the new snapshot metadata file. If any of these conditions are not + met, discard the new snapshot metadata file, abort the update cycle, and + report the failure. 6. **Check for a freeze attack**. The expiration timestamp in the new snapshot metadata file MUST be higher than the fixed update start time. From 440e099369698179887486d7ec46a31a8053433d Mon Sep 17 00:00:00 2001 From: Erick Tryzelaar Date: Thu, 19 May 2022 11:01:23 -0700 Subject: [PATCH 2/3] Flesh out timestamp/snapshot rollback attack resistance --- tuf-spec.md | 90 +++++++++++++++++++++++++++++++++++------------------ 1 file changed, 60 insertions(+), 30 deletions(-) diff --git a/tuf-spec.md b/tuf-spec.md index 6588131..ebd4e02 100644 --- a/tuf-spec.md +++ b/tuf-spec.md @@ -1368,24 +1368,40 @@ it in the next step. 3. **Check for a rollback attack.** - 1. The version number of the trusted timestamp metadata file, if any, MUST be - less than the version number of the new timestamp metadata file. If the - new timestamp metadata version is less than the trusted timestamp metadata - version, discard it, abort the update cycle, and report the potential - rollback attack. In case they are equal, discard the new timestamp - metadata and abort the update cycle. This is normal and it shouldn't raise - any error. The reason for aborting the update process is that there - shouldn't be any changes in the content of this, or any other metadata - files too, considering it has the same version as the already trusted one. - - 2. The new timestamp metadata file MUST only contain the description of the - snapshot metadata file. If not, discard the new snapshot metadata file, - abort the cycle, and report the failure. - - 3. The version number of the snapshot metadata file in the trusted timestamp - metadata file, if any, MUST be less than or equal to its version number in - the new timestamp metadata file. If not, discard the new timestamp - metadata file, abort the update cycle, and report the failure. + 1. The [=metapath/VERSION=] number of the trusted timestamp metadata file, if + any, MUST be less than the [=metapath/VERSION=] number of the new timestamp + metadata file. If the new timestamp metadata version is less than the + trusted timestamp metadata version, discard it, abort the update cycle, and + report the potential rollback attack. In case they are equal, discard the + new timestamp metadata and abort the update cycle. This is normal and it + shouldn't raise any error. The reason for aborting the update process is + that there shouldn't be any changes in the content of this, or any other + metadata files too, considering it has the same version as the already + trusted one. + + 2. The new timestamp metadata file's [=METAFILES=] object MUST only + contain the snapshot metadata file. If not, discard the new timestamp + metadata file, abort the cycle, and report the failure. + + 3. The [=metapath/VERSION=] number of the snapshot metadata file in the + trusted timestamp metadata file, if any, MUST be less than or equal to its + [=metapath/VERSION=] number in the new timestamp metadata file. If not, + discard the new timestamp metadata file, abort the update cycle, and report + the failure. + + 4. If the new timestamp metadata file's [=metapath/VERSION=] number of the + snapshot metadata file is equal to the [=metapath/VERSION=] numbers in the + trusted snapshot metadata file: + + 1. The [=metapath/LENGTH=] in the new timestamp metadata file, if any, MUST + be equal to the [=metapath/LENGTH=] in the trusted timestamp file, if any. + If not, discard the new timestamp metadata file, abort the cycle, and + report the failure. + + 2. For each entry in the new timestamp metadata file's [=metapath/HASHES=] + dictionary, if the key is present in the trusted timestamp metadata file, + the values MUST be equal. If not, discard the new timestamp metadata + file, abort the cycle, and report the failure. 4. **Check for a freeze attack.** The expiration timestamp in the new timestamp metadata file MUST be higher than the fixed update start time. @@ -1431,18 +1447,32 @@ it in the next step. 5. **Check for a rollback attack**. - 1. The new snapshot metadata file MUST contain the description of the targets - metadata file. If not, discard the new snapshot metadata file, abort the - cycle, and report the failure. - - 2. The version number of the targets metadata file, and all delegated targets - metadata files, if any, in the trusted snapshot metadata file, if any, - MUST be less than or equal to its version number in the new snapshot - metadata file. Furthermore, any targets metadata filename that was listed - in the trusted snapshot metadata file, if any, MUST continue to be listed - in the new snapshot metadata file. If any of these conditions are not - met, discard the new snapshot metadata file, abort the update cycle, and - report the failure. + 1. The new snapshot metadata file's [=METAFILES=] object MUST contain a + [=snapshot/METAPATH=] entry for the targets metadata file, and all delegated targets + metadata files, if any, in the trusted snapshot metadata file. If not, + discard the new snapshot metadata file, abort the cycle, and report the + failure. + + 2. The [=metapath/VERSION=] number of the targets metadata file, and all + delegated targets metadata files, if any, in the trusted snapshot metadata + file MUST be less than or equal to its [=metapath/VERSION=] number in the + new snapshot metadata file. If not, discard the new snapshot metadata + file, abort the cycle, and report the failure. + + 3. If the new snapshot metadata file's [=metapath/VERSION=] number of the + targets metadata file, or any delegated targets metadata files, if any, are + equal to the [=metapath/VERSION=] numbers in the trusted targets metadata + file: + + 1. The [=metapath/LENGTH=] in the new snapshot metadata file, if any, MUST + be equal to the [=metapath/LENGTH=] in the trusted snapshot file, if any. + If not, discard the new snapshot metadata file, abort the cycle, and + report the failure. + + 2. For each entry in the new snapshot metadata file's [=metapath/HASHES=] + dictionary, if the key is present in the trusted snapshot metadata file, + the values MUST be equal. If not, discard the new snapshot metadata + file, abort the cycle, and report the failure. 6. **Check for a freeze attack**. The expiration timestamp in the new snapshot metadata file MUST be higher than the fixed update start time. From cc41726801d6bc30a6094d49fb70cf178820d5df Mon Sep 17 00:00:00 2001 From: Erick Tryzelaar Date: Fri, 20 May 2022 11:00:26 -0700 Subject: [PATCH 3/3] Bump date and version --- tuf-spec.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tuf-spec.md b/tuf-spec.md index ebd4e02..e43c407 100644 --- a/tuf-spec.md +++ b/tuf-spec.md @@ -3,7 +3,7 @@ Title: The Update Framework Specification Shortname: TUF Status: LS Abstract: A framework for securing software update systems. -Date: 2022-04-28 +Date: 2022-05-20 Editor: Justin Cappos, NYU Editor: Trishank Karthik Kuppusamy, Datadog Editor: Joshua Lock, VMware @@ -16,7 +16,7 @@ Boilerplate: copyright no, conformance no Local Boilerplate: header yes Markup Shorthands: css no, markdown yes Metadata Include: This version off, Abstract off -Text Macro: VERSION 1.0.30 +Text Macro: VERSION 1.0.31 Note: We strive to make the specification easy to implement, so if you come