-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify rollback attack prevention and fast-forward attack recovery #86
Clarify rollback attack prevention and fast-forward attack recovery #86
Commits on Sep 1, 2020
-
Revert "Remove 2nd targets rollback attack check"
This reverts commit 2eccb59. 2eccb59 removed rollback attack check for top-level targets file, which is (1) redundant and (2) prevents recovery from a fast-forward attack (see commit message for details). This commit reverts the change, because the redundancy (1) is actually desired, so that an attacker does not only have to compromise timestamp, but snapshot and (delegated) targets too, in order to launch rollback attacks. Fast-forward attack recovery (2) shall be fixed in a subsequent comment.
Configuration menu - View commit details
-
Copy full SHA for 0ecf980 - Browse repository at this point
Copy the full SHA 0ecf980View commit details -
Clarify how delegated roles are downloaded
Section 5.4.5 is a little vague how on delegated targets are fetched and validated. This updates that section to use the same logic and verification process as downloading the top-level targets role to be explicit. One thing to point out though is that the old section 4.5 suggests that we don't report verification errors to the user. I've preserved this in my explicit version. I imagine users would still be notified if their delegated roles may be undergoing an attack. Is this intentional, or should I switch to the "abort the update cycle, and report the potential rollback attack"-style phrasing used elsewhere in the spec?
Configuration menu - View commit details
-
Copy full SHA for 75ac163 - Browse repository at this point
Copy the full SHA 75ac163View commit details -
Configuration menu - View commit details
-
Copy full SHA for 329361a - Browse repository at this point
Copy the full SHA 329361aView commit details -
Add freeze attack check for delegated targets
A recent commit added a detailed verification workflow for delegated targets, including check against snapshot, and signature and version check. This commit adds the missing freeze attack (i.e. timestamp) check.
Configuration menu - View commit details
-
Copy full SHA for c36e0c0 - Browse repository at this point
Copy the full SHA c36e0c0View commit details -
Adopt reporting wording for delegated targets
Recent commits added a detailed verification workflow for delegated targets, including check against snapshot, and signature, version and timestamp checks. This commit adopts the failure reporting phrasing used elsewhere in the client workflow.
Configuration menu - View commit details
-
Copy full SHA for e4a6f9e - Browse repository at this point
Copy the full SHA e4a6f9eView commit details -
Clarify recovery from ffwd on top-level roles
Clarify what files to delete or untrust in various situations to recover from a fast-forward attack on top-level metadata.
Configuration menu - View commit details
-
Copy full SHA for b677f6a - Browse repository at this point
Copy the full SHA b677f6aView commit details -
Clarify recovery from ffwd on top-level targets
To recover from a fast-forward attack on the top-level targets metadata, only targets and snapshot (not timestamp) metadata must be untrusted/deleted. Targets, because it was attacker controlled, and snapshot, because it unwittingly might have unwittingly recorded the attacker controlled targets version.
Configuration menu - View commit details
-
Copy full SHA for fa2d263 - Browse repository at this point
Copy the full SHA fa2d263View commit details -
Clarify recovery from ffwd on delegated targets
Akin to the recovery from fast-forward attacks on the top-level targets role, if a delegated targets role has been compromised, the previously trusted delegated targets metadata and the previously trusted snapshot metadata must be deleted. This must happen so that the rollback attack check (*), which makes sure that the version number of the new delegated targets is higher (or equal) than that of the old does not prevent updates after an ffwd attack. For the top-level targets metadata ffwd recovery logic is performed based on key removals in the root metadata and thus can happen before downloading the snapshot metadata. For delegated targets, on the other hand, where the keys are defined by delegating targets role(s) and not in the root metadata, ffwd recovery logic can only be performed after the delegating targets have been downloaded. (*) Note that there are two targets role rollback checks. One is based on the snapshot metadata, to fail early, i.e. before a potentially compromised (delegated) targets metadata is downloaded, and the other is based directly on the (delegated) targets metadata, so that an attacker needs to compromise snapshot and (delegated) targets keys, to successfully perform a rollback attack. This commit updates the client workflow according to above observations.
Configuration menu - View commit details
-
Copy full SHA for 65e042d - Browse repository at this point
Copy the full SHA 65e042dView commit details -
Add details about ffwd attacker goals
Co-Authored-By: Justin Cappos <[email protected]> Co-Authored-By: Joshua Lock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a06c5a8 - Browse repository at this point
Copy the full SHA a06c5a8View commit details -
Replace DELEGATE with DELEGATEE
Following @trishankatdatadog's and @jhdalek55's suggestion, according to which, a delegate, when used as a noun, generally implies a person. "Delegatee" is defined as "someone or something to which something is delegated." In this case, when the responsibility for signing is being granted to a different entity, "delegatee" more clearly conveys this concept.
Configuration menu - View commit details
-
Copy full SHA for e96f1e8 - Browse repository at this point
Copy the full SHA e96f1e8View commit details -
Clarify delegated targets optional hash check
Clarify that the hashes of delegated targets metadata in snapshot metadata are optional and should only be match checked by the client if present.
Configuration menu - View commit details
-
Copy full SHA for 5ef7a9c - Browse repository at this point
Copy the full SHA 5ef7a9cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1af5d03 - Browse repository at this point
Copy the full SHA 1af5d03View commit details