ngtests: ensure tests cover known attacks on package managers

[sechkova]

Description of issue or feature request:

The specification lists specific attacks which TUF aims to protect against.
To ensure the code covers all of the attacks and does not introduce regressions it is desirable to identify or, where they don't already exist, create tests that cover each of the attacks the specification is designed to protect against.

• arbitrary software installation
• rollback attacks (covered by TrustedMetadataSet?)
• fast-forward attacks
• indefinite freeze attacks
• extraneous dependency attacks
• mix-and-match attacks
• wrong software installation
• malicious mirrors preventing updates

[jku]

I don't have a clean closure for this but I think we should close it. Most of the listed attacks are not meaningful to test against, but I did file two issues. I'll list some notes here and close this issue:

Arbitrary software installation

This is prevented by signing hashes of target files, the core TUF functionality. Tests exist.

A practical attack against TUF involves targets key compromise. Mitigations against that are:

• easy targets key rotation
• additional checks before signing with online keys (not tested, outside of TUF scope)

Rollback attacks

Rollback attacks on target files or metadata are mitigated by timestamping and by client caching the version numbers of every targets metadata in snapshot. Tests exist, see test_updater_top_level_update.py.

A practical rollback attack against TUF involves online keys compromise. Mitigations against that are:

• easy online keys rotation

Fast-forward attacks

Fast-forward attack against TUF requires compromise of targets or online keys. There does not seem to be anything to test here...

Mitigations:

• fast-forwarded targets metadata can just be replaced: delegation is directed to a new delegated role
• fast-forwarded online metadata can be rolled back by rotating their keys

rollback mitigation testing: #1713

indefinite freeze attacks

Indefinite freeze is prevented by timestamp expiry. multiple tests exist

A successful attack would require a compromised timestamp key. Mitigations against this:

• easy timestamp key rotation

Endless data attacks

Target length and metadata length are capped by either exact number or a maximum value.

Target length is tested but metadata does not seem to be: #1730

Extraneous dependencies attacks

This is not something TUF handles at all.

Mix-and-match attacks

When consistent snapshot is used, TUF clients see a consistent snapshot of the repository... mix-and-match is still possible if the updater system includes multiple versions of a dependency in TUF repository, but this is not a TUF problem.

Wrong software installation

This requires a targets key compromise with TUF (or it is the responsibility of the the updater system)

Malicious mirrors preventing updates

ngclient does not try to solve this currently. The attack is also very abstract: not well defined

Vulnerability to key compromises

TUF keys are either not as exposed or not as high value as the key in a single-key system.

This is an abstract class of attacks, not going to invent a test for this