Check timestamp/snapshot contains snapshot/targets description #226
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,7 @@ Title: The Update Framework Specification | |
| Shortname: TUF | ||
| Status: LS | ||
| Abstract: A framework for securing software update systems. | ||
| Date: 2022-05-20 | ||
| Editor: Justin Cappos, NYU | ||
| Editor: Trishank Karthik Kuppusamy, Datadog | ||
| Editor: Joshua Lock, VMware | ||
|
|
@@ -16,7 +16,7 @@ Boilerplate: copyright no, conformance no | |
| Local Boilerplate: header yes | ||
| Markup Shorthands: css no, markdown yes | ||
| Metadata Include: This version off, Abstract off | ||
| Text Macro: VERSION 1.0.31 | ||
| </pre> | ||
|
|
||
| Note: We strive to make the specification easy to implement, so if you come | ||
|
|
@@ -1368,20 +1368,40 @@ it in the next step. | |
|
|
||
| 3. **Check for a rollback attack.** | ||
|
|
||
| 1. The [=metapath/VERSION=] number of the trusted timestamp metadata file, if | ||
| any, MUST be less than the [=metapath/VERSION=] number of the new timestamp | ||
| metadata file. If the new timestamp metadata version is less than the | ||
| trusted timestamp metadata version, discard it, abort the update cycle, and | ||
| report the potential rollback attack. In case they are equal, discard the | ||
| new timestamp metadata and abort the update cycle. This is normal and it | ||
| shouldn't raise any error. The reason for aborting the update process is | ||
| that there shouldn't be any changes in the content of this, or any other | ||
| metadata files too, considering it has the same version as the already | ||
| trusted one. | ||
|
|
||
| 2. The new timestamp metadata file's [=METAFILES=] object MUST only | ||
| contain the snapshot metadata file. If not, discard the new timestamp | ||
| metadata file, abort the cycle, and report the failure. | ||
|
|
||
| 3. The [=metapath/VERSION=] number of the snapshot metadata file in the | ||
| trusted timestamp metadata file, if any, MUST be less than or equal to its | ||
| [=metapath/VERSION=] number in the new timestamp metadata file. If not, | ||
| discard the new timestamp metadata file, abort the update cycle, and report | ||
| the failure. | ||
|
|
||
| 4. If the new timestamp metadata file's [=metapath/VERSION=] number of the | ||
| snapshot metadata file is equal to the [=metapath/VERSION=] numbers in the | ||
| trusted snapshot metadata file: | ||
|
|
||
| 1. The [=metapath/LENGTH=] in the new timestamp metadata file, if any, MUST | ||
| be equal to the [=metapath/LENGTH=] in the trusted timestamp file, if any. | ||
| If not, discard the new timestamp metadata file, abort the cycle, and | ||
|
There was a problem hiding this comment. Why do we discard the new timestamp metadata? Could an attacker later roll back the timestamp file? There was a problem hiding this comment. I'm not sure if it's necessarily resisting an attack, but more about enabling the optimization where we can skip downloading metadata if we already have it locally without putting our local trusted metadata in an inconsistent state (such as in #114 and #227). It might be helpful if we work with an example. Say we have locally trusted metadata, with Timestamp T1 and Snapshot S1, which is at version N. The remote repository is at Timestamp T1 and Snapshot S2, which also is at version N. When we perform a client update, we will:
At this point we could decide that we we already have the trusted Snapshot S1, so we could abort the update workflow. However this would be incorrect, because it's possible that Snapshot S2 could have different content than Snapshot S1. If Timestamp T2 contains the optional length and/or hashes of Snapshot S2. This means that if we create a brand new client based off the local trusted metadata, we cannot use the length/hashes from Timestamp T2 to verify Snapshot S1. This would then force us to throw away the Snapshot S1 and download the new S2 version. This patch tries to avoid this issue by enforcing that we cannot get into this state by treating Timestamp T2 as invalid, since it doesn't match what we already trust. This would be especially handy if we implement transactional downloading of metadata in #69 to make sure the local metadata doesn't get into an incomplete state. There was a problem hiding this comment.
Did you mean T2? You do say the client downloads T2 below. I assume this is a typo here? Just to make sure, do I understand correctly that in your example:
This implies that the repo has incorrectly updated snapshot and timestamp, without bumping snapshot's version number, right? Following you proposal, the client that already trusts T1 and S1 can only update, if the repo issues a new T2 (or higher) describing a new S2, with a version number higher than S1. Is that correct? If so, I think it's fair. |
||
| report the failure. | ||
|
|
||
| 2. For each entry in the new timestamp metadata file's [=metapath/HASHES=] | ||
| dictionary, if the key is present in the trusted timestamp metadata file, | ||
| the values MUST be equal. If not, discard the new timestamp metadata | ||
|
There was a problem hiding this comment. Same comment as above here. There was a problem hiding this comment. This was covered in the above comment, so lets track it there. |
||
| file, abort the cycle, and report the failure. | ||
|
|
||
| 4. **Check for a freeze attack.** The expiration timestamp in the | ||
| new timestamp metadata file MUST be higher than the fixed update start time. | ||
|
|
@@ -1425,14 +1445,34 @@ it in the next step. | |
| in the trusted timestamp metadata. If the versions do not match, discard the | ||
| new snapshot metadata, abort the update cycle, and report the failure. | ||
|
|
||
| 5. **Check for a rollback attack**. | ||
|
|
||
| 1. The new snapshot metadata file's [=METAFILES=] object MUST contain a | ||
| [=snapshot/METAPATH=] entry for the targets metadata file, and all delegated targets | ||
| metadata files, if any, in the trusted snapshot metadata file. If not, | ||
| discard the new snapshot metadata file, abort the cycle, and report the | ||
|
There was a problem hiding this comment. Do we need to discard the snapshot file in this case? Why? There was a problem hiding this comment. This was covered in the above comment, so lets track it there. |
||
| failure. | ||
|
|
||
| 2. The [=metapath/VERSION=] number of the targets metadata file, and all | ||
| delegated targets metadata files, if any, in the trusted snapshot metadata | ||
| file MUST be less than or equal to its [=metapath/VERSION=] number in the | ||
| new snapshot metadata file. If not, discard the new snapshot metadata | ||
| file, abort the cycle, and report the failure. | ||
|
|
||
| 3. If the new snapshot metadata file's [=metapath/VERSION=] number of the | ||
| targets metadata file, or any delegated targets metadata files, if any, are | ||
| equal to the [=metapath/VERSION=] numbers in the trusted targets metadata | ||
| file: | ||
|
|
||
| 1. The [=metapath/LENGTH=] in the new snapshot metadata file, if any, MUST | ||
| be equal to the [=metapath/LENGTH=] in the trusted snapshot file, if any. | ||
| If not, discard the new snapshot metadata file, abort the cycle, and | ||
| report the failure. | ||
|
|
||
| 2. For each entry in the new snapshot metadata file's [=metapath/HASHES=] | ||
| dictionary, if the key is present in the trusted snapshot metadata file, | ||
| the values MUST be equal. If not, discard the new snapshot metadata | ||
| file, abort the cycle, and report the failure. | ||
|
|
||
| 6. **Check for a freeze attack**. The expiration timestamp in the | ||
| new snapshot metadata file MUST be higher than the fixed update start time. | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.