Rollback attacks and fast forward recovery #150
Conversation
|
Thank you for working on this Marina! FYI I'm planning to review this early next week. |
tuf-spec.md
Outdated
| 1. **Targets recovery** If a threshold of targets keys have been | ||
| removed in the new trusted root metadata compared to the previous trusted | ||
| root metadata, delete the old top-level targets and snapshot metadata | ||
| files. Note that delegated targets are susceptible to fast forward attacks, |
There was a problem hiding this comment.
I have to admit these two sentences are not immediately clear to me. Would you please rephrase and clarify?
tuf-spec.md
Outdated
| metadata file, and all delegated targets metadata files, if any, in the | ||
| trusted snapshot metadata file, if any, MUST be less than or equal to its | ||
| version number in the new snapshot metadata file. Furthermore, any targets | ||
| 5. **Check for a rollback attack**. The version number of all targets metadata files in the |
There was a problem hiding this comment.
Nit: looks like line overflow
tuf-spec.md
Outdated
| @@ -1470,18 +1486,53 @@ it in the next step. | |||
| 2. Otherwise, recursively search the list of delegations in | |||
| order of appearance. | |||
|
|
|||
| 1. If the current delegation is a multi-role delegation, | |||
| 1. Let DELEGATEE denote the current target role TARGETS is | |||
There was a problem hiding this comment.
Could we please say DELEGATOR instead of TARGETS? Can be conflated at first glance with the top-level targets role.
There was a problem hiding this comment.
This is using the same TARGETS defined at the beginning of step 7 (line 1475 in this version). I'll see if I can clarify this.
There was a problem hiding this comment.
Sorry, just to be sparkling clear, I think we should start off by setting the DELEGATOR role to the top-level targets role, and go from there. Otherwise, it could confuse a few readers.
There was a problem hiding this comment.
I think it could be clearer. Please see my latest suggestions?
There was a problem hiding this comment.
That makes sense. I think yours maps more closely to what the code would look like.
|
(I'll squash these last few commits once we finalize) |
Possibly better to do it now, as squash & force push will discard any approvals. |
Fair enough, it's either discard the approvals or discard the comment history :). I'll go ahead and fix it now |
mnm678
force-pushed
the
client-verification
branch
from
cd54ef6
to
7c534bc
Compare
|
The whole preorder DFS is really not defined accurately. I can help to edit the text, but this code might help in the meantime. |
Which part? This pr just adds the snapshot and hash checks for delegated targets |
Yeah, maybe best done in another PR, but if you read the whole thing, you can see it has some work to do. |
I think I see what you mean. I'll move the check added in this pr to after the section about multi-role delegations, because these checks should be done for each role in the multi-role delegation. There might be some better clarifications to the section as a whole, but I'll leave that to a separate pr to avoid too much scope creep here. |
tuf-spec.md
Outdated
| timestamp, snapshot, targets, or delegated targets metadata. The attacker's goal | ||
| is to cause clients to refuse to update the metadata later because the attacker's | ||
| listed metadata version number (possibly MAX_INT) is greater than the new valid | ||
| version. To recover from a fast-forward attacks after the repository has been |
There was a problem hiding this comment.
"recover from fast-forward attacks" dropping a
Or
"Recover from a fast forward attack" dropping plural s attacks
tuf-spec.md
Outdated
| number of bytes. The value for Z is set by the authors of the application | ||
| using TUF. For example, Z may be tens of kilobytes. IF DELEGATEE cannot be | ||
| found, end the search and report the target cannot be found. If | ||
| consistent snapshots are not used (see Section 7), then the filename used |
There was a problem hiding this comment.
Let's cross-reference the consistent snapshots section here and not refer to it by explicit number, i.e. "[[#consistent-snapshots]]"
tuf-spec.md
Outdated
| 6. **Check for a freeze attack.** The latest known time | ||
| should be lower than the expiration timestamp in the new DELEGATEE | ||
| metadata file. If so, the new DELEGATEE file becomes the trusted DELEGATEE |
There was a problem hiding this comment.
We changed the way we describe a freeze attack check, could you make this consistent with the other checks in the spec?
"The expiration timestamp in new DELEGATEE metadata file MUST be higher than the fixed update start time."
mnm678
force-pushed
the
client-verification
branch
from
c0ec26d
to
f4f162d
Compare
|
Thanks @joshuagl, I updated and rebased over the recent merge. |
Section 7 is a little vague how on delegated targets are fetched and validated. This updates that section to use the same logic and verification process as downloading the top-level targets role to be explicit. One thing to point out though is that the old section 7 suggests that we don't report verification errors to the user. I've preserved this in my explicit version. I imagine users would still be notified if their delegated roles may be undergoing an attack. Is this intentional, or should I switch to the "abort the update cycle, and report the potential rollback attack"-style phrasing used elsewhere in the spec?
A recent commit added a detailed verification workflow for delegated targets, including check against snapshot, and signature and version check. This commit adds the missing freeze attack (i.e. timestamp) check.
Recent commits added a detailed verification workflow for delegated targets, including check against snapshot, and signature, version and timestamp checks. This commit adopts the failure reporting phrasing used elsewhere in the client workflow.
Clarify what files to delete or untrust in various situations to recover from a fast-forward attack on top-level metadata.
To recover from a fast-forward attack on the top-level targets metadata, only targets and snapshot (not timestamp) metadata must be untrusted/deleted. Targets, because it was attacker controlled, and snapshot, because it unwittingly might have unwittingly recorded the attacker controlled targets version.
Akin to the recovery from fast-forward attacks on the top-level targets role, if a delegated targets role has been compromised, the previously trusted delegated targets metadata and the previously trusted snapshot metadata must be deleted. This must happen so that the rollback attack check (*), which makes sure that the version number of the new delegated targets is higher (or equal) than that of the old does not prevent updates after an ffwd attack. For the top-level targets metadata ffwd recovery logic is performed based on key removals in the root metadata and thus can happen before downloading the snapshot metadata. For delegated targets, on the other hand, where the keys are defined by delegating targets role(s) and not in the root metadata, ffwd recovery logic can only be performed after the delegating targets have been downloaded. (*) Note that there are two targets role rollback checks. One is based on the snapshot metadata, to fail early, i.e. before a potentially compromised (delegated) targets metadata is downloaded, and the other is based directly on the (delegated) targets metadata, so that an attacker needs to compromise snapshot and (delegated) targets keys, to successfully perform a rollback attack. This commit updates the client workflow according to above observations.
Co-Authored-By: Justin Cappos <justincappos@gmail.com> Co-Authored-By: Joshua Lock <jlock@vmware.com>
So IIUC you mean if no m_t of k_t exists in m_{t+n} of k_{t+n}, then delete previous timestamp/snapshots/targets metadata. This was also my interpretation, but Hossein pointed out that it's too strong. Look at his example here. Just because a threshold of old keys have colluded and caused fast-forward attacks, doesn't mean you have the luxury to rotate all the rest that have not provably colluded. So, the requirement should be less strict: if any (not all) old threshold of old keys have been rotated out, then take that as a signal of possible fast-forward attack, and delete the previous metadata. |
I have to admit I don't understand what that means... but I'll look at the examples:
If we have loaded root v2 and current targets keys are [b,c,d,e], we absolutely cannot trust targets.json if it was signed by only two keys and one of them was a, because at that point it is not signed by threshold of keys. On the other hand if targets.json was signed by more than two keys (or one of them was not a), things are just fine.
If targets.json was signed by at least c & d, then we can trust it and do not have to remove it 🤷 From the context I finally think I understand what you are getting at: you think you can use the number of removed keys in a specific delegator update in comparison to the threshold of keys as a signal... I don't think you can as the keys might have been removed one by one in multiple metadata versions -- the possibility of a ffwd attack is still there even though only one key was removed at a time. I don't quite understand why you want to remove targets.json if you suspect a ffwd attack may have happened? the real issue is in snapshot (where the targets.json version might be too big) and the issue may have been there for multiple snapshot versions already (so you can't just go back to a previous snapshot or something). I don't think there are other solutions to this problem than snapshot key rotation, and frankly it seems like a really good solution to me... |
The key problem is that we are looking at only the previous and current roots now to decide whether to delete previous timestamp/snapshot/targets metadata without looking at the current version of the latter, you see? So you cannot check based on what the actual signatures are. You can only decide based on comparing previous/current threshold of timestamp/snapshot/targets keys. |
|
As I see it there are 2 things being discussed (and possibly confused) here:
For 1, this logic is similar to the reason for not providing explicit fast-forward attack recovery for delegated targets. I'm starting to agree with @jku that snapshot might be the only place that fast forward attack recovery is needed. 2 is a bit trickier. If you have a previous trusted snapshot metadata file A and a new one B (both signed by a valid threshold of keys from the root metadata at the time they were downloaded), how do you know if you should do rollback checks between B and A, or skip these to recover from a possible fast forward attack. I would argue that the rollback checks should be skipped whenever a thresholdA of keys from A is not present in B (which I think is what @trishankatdatadog is arguing). Am I missing anything? |
This is what I'm suggesting, no? If the new root rotated targets keys in a way that the local targets.json is no longer signed by correct threshold of keys, we should not trust that targets.json for anything. I'm not waiting for some next version of targets before making that decision, I'm deciding that immediately as the keys are rotated.
I agree that we should only look at the keys/threshold, but I'm arguing we can only consider the currently valid keys/threshold. The idea that we can somehow compare current and previous keys is just not sound. Just as one example, imagine this scenario:
|
I still don't understand why the repository can't handle this. If there is a fast forward attack I think it's completely reasonable to expect the repository to update root and rotate the keys of the snapshot role: key rotation logically leads to client not using the old snapshot for the rollback checks (as at that point the old snapshot is not signed by current threshold of snapshot keys). is this for some reason a bad solution? |
Oh, I think I understand what you're saying now. The client would use the keys in the current root file to verify both the previous and the new snapshot, then if the verification for the previous failed with the current keys, the rollback check would be skipped. Is that what you're talking about? That does seem simpler than the previous/current comparison |
Yes! I think it's a fundamental idea that's already encoded into every rule in the client workflow but for some reason not spelled out: do not trust or use metadata that is not signed by current keys for that role. This should apply at all times: If the local ("old") snapshot metadata is not signed by current snapshot keys after a root update, the "old" snapshot should not be used for rollback checks (or anything at all, because it's not trusted!). |
We still disagree if I understand you correctly. Take Hossein's example of m_t = 2, k_t = [a,b,c,d], m_{t+n} = 2, k_{t+n} = [c,d,e]. You can still use m_{t+n} and k_{t+n} (specifically [c,d]) to verify A_t, but that doesn't mean [a,b] wasn't used to fast-forward snapshot (fuhgedabout targets, no need to get distracted by that red herring). Hence Hossein's condition: if he sees any m_t of k_t removed in k_{t+n}, he reasonably and automatically assumes a fast-forward. |
|
Really, the best resolution is to use an explicit instead of implicit, ambiguous signal to delete timestamp/snapshot/targets metadata from one root to another, but that requires a spec change. Might be worth it than trying to get consensus by abusing an existing, orthogonal mechanism. |
rotating keys is an explicit unambiguous signal that the old metadata (now no longer signed by current keys) should not be trusted and should not be used for anything, including rollback checks. I don't see how it's an orthogonal mechanism: this property is the signatures sole reason for existence. Do we really not have consensus on that? Or did I misread what you mean by the "abusing an existing, orthogonal mechanism"? |
I agree, but I don't think 'key rotation' is currently well defined in the spec. Is it when one key is removed? A threshold of keys? I think that @jku's definition will make the code much simpler, and it relies on trusting the existing root metadata (which is already more trusted than the previous snapshot). However, @trishankatdatadog's definition is a bit more robust in the event that the threshold is lowered in the new root metadata. Although because an attacker that can lower the threshold in root metadata can do much stronger attacks, like just replacing all the keys, I think that we should go with 'trust existing root metadata' as a way to detect a rotation. |
yes, apologies: I meant any change to the roles keys/threshold that leads to local/old metadata to be not trusted. |
Require that the snapshot keys are replaced for fast-forward attack recovery. This commit also simplifies the key rotation check by deleting the snapshot metadata if a threshold of new keys cannot verify the old snapshot metadata. Signed-off-by: Marina Moore <mnm678@gmail.com>
|
@trishankatdatadog @jku I updated the fast-forward attack recovery section. Does this look good to both of you? |
| 2. **Snapshot recovery** If a threshold of snapshot keys have | ||
| been removed in the new trusted root metadata compared to the previous | ||
| trusted root metadata, delete the old snapshot and timestamp metadata | ||
| 1. **Snapshot recovery** If the trusted snapshot metadata cannot be |
There was a problem hiding this comment.
@hosseinsia thoughts?
There was a problem hiding this comment.
This is clever. I like it! So at least a combination of non-revoked keys should have signed the metadata?
And an attacker who uses the compromised keys to sign metadata won't succeed.
| 2. **Snapshot recovery** If a threshold of snapshot keys have | ||
| been removed in the new trusted root metadata compared to the previous | ||
| trusted root metadata, delete the old snapshot and timestamp metadata | ||
| 1. **Snapshot recovery** If the trusted snapshot metadata cannot be |
There was a problem hiding this comment.
This is clever. I like it! So at least a combination of non-revoked keys should have signed the metadata?
And an attacker who uses the compromised keys to sign metadata won't succeed.
Co-authored-by: Hossein Siadati <87046468+hosseinsia@users.noreply.github.com>
| 1. **Snapshot recovery** If the trusted snapshot metadata cannot be | ||
| validated using a threshold of snapshot keys from the new trusted root | ||
| metadata, delete the trusted snapshot and timestamp metadata | ||
| files. |
There was a problem hiding this comment.
I think the core idea here is correct but I'm still not sure it makes sense to put the heuristic part into the client (that client must revoke trust on a correctly signed, valid timestamp just because snapshot is not signed). If snapshot key has been compromised and used to create snapshot version 1billion and timestamp process has accepted that into a timestamp, what prevents us from saying that the timestamp keys must then be rotated to enable rollback?
The client workflow is already complicated and quite tricky to implement: much more difficult than reading the spec text implies. Every addition like this makes it more complex, and it feels like things are added to client workflow partly because the repository workflows are not defined so things can't be added there.
I think the well defined ffwd recoveries are based on the repository rotating keys, and client taking care to not use untrusted metadata to do rollback checks:
- if snapshot version must be rolled back, timestamp keys must be rotated (meaning timestamp keys should be modified so that all timestamps with "compromised snapshot versions" are no longer correctly signed, and will not be used for rollback checks by the client
- if any targets versions must be rolled back (or removed from snapshot), snapshot keys must be rotated (meaning snapshot keys should be modified so that all snapshots with "compromised targets data" are no longer correctly signed, and will not be used for rollback checks by the client
For the client this creates basically no complexity: it just follows the basic rule, only believe trusted, correctly signed metadata. I don't think it puts an unfair burden on the repository either:
- Some of its keys have been compromised
- the online processes failed to prevent the ffwd (especially targets ffwd should be completely preventable)
- we're only asking for online key rotation
The second issue is a nitpick and I don't expect you to change this as it uses language already in the spec but I'll mention it: my opinion is that we should stop talking about "deleting files", or at least make that a secondary aspect: what is important is that the client should not consider the metadata trusted anymore (in practice, we might want to say out loud why exactly we do this: the existing, now untrusted, metadata should not be used to do rollback checks on the new metadata)
There was a problem hiding this comment.
In fact, how would this heuristic even work in practice:
- client has a timestamp with snapshot version==1billion
- client starts a refresh, downloads root, then downloads new timestamp with snapshot version==1
- client sees a rollback attack, stops the update and never even downloads the snapshot that would include the heuristic that would make the valid timestamp now invalid
There was a problem hiding this comment.
I agree that we should separate back out the timestamp vs snapshot recovery. Looking at it again, I actually don't think this check is in the right place in the workflow. I think the timestamp recovery should happen when the timestamp is downloaded, not as part of the root metadata workflow, and the same for snapshot. Especially as it is no longer tied to anything in the previous root metadata file.
It would be great to have separate documentation for the repository workflow. Right now all the advise for managing a fast forward attack (and a lot of other pieces) is buried here in the client workflow.
There was a problem hiding this comment.
Friends, but this is where and what we recommend in the Mercury paper. See "5.3 Recovering from a repository compromise" on page 7.
This is getting contentious enough (for good reasons) that I'm not sure that endless cycles of reviews and comments would do sufficient justice. A meeting hasn't solved the problem either. Perhaps it's time for the BDFL to step in and make a decision one way or another? @JustinCappos
There was a problem hiding this comment.
It would be great to have separate documentation for the repository workflow. Right now all the advise for managing a fast forward attack (and a lot of other pieces) is buried here in the client workflow.
💯 I've filed #186 to track this
The second issue is a nitpick and I don't expect you to change this as it uses language already in the spec but I'll mention it: my opinion is that we should stop talking about "deleting files", or at least make that a secondary aspect: what is important is that the client should not consider the metadata trusted anymore (in practice, we might want to say out loud why exactly we do this: the existing, now untrusted, metadata should not be used to do rollback checks on the new metadata)
Added this notion of changing from "delete file" to "stop trusting" to #103
Friends, but this is where and what we recommend in the Mercury paper. See "5.3 Recovering from a repository compromise" on page 7.
Mercury tells us "the online keys used to sign snapshot metadata can be revoked and replaced with new keys." and "The root-of-trust metadata indicates which keys can be trusted for verifying metadata files, including snapshot metadata files. This leads to a seamless and automatic recovery from fast-forward attacks after a repository compromise."
This seems to state that root metadata indicates which keys can be used for verifying trusted metadata. That is, that key rotation is the correct way to recover from fast-forward attacks and that rollback protection is only provided for top-level metadata which is trusted by the current root metadata.
|
I've re-read the thread and feel like we could perhaps do with another
meeting about this. I can unblock us if we can't resolve it after another
round of discussion.
I did spend a fair amount of time thinking about a way to explicitly
indicate that the metadata should be deleted, but could not think of a good
way to do so when considering clients that may miss updates over an
extended period.
|
Sure, I am willing to do one more meeting.
Why not just set an explicit signal in the root metadata? You will always pick it up when you rotate roots. |
|
If you set the signal, do you remove it when you next rotate roots
normally? What if a client misses the intermediate update? What if there
is also a spec version upgrade? Does a client always get all root files?
…On Sun, Sep 19, 2021 at 2:54 AM Trishank Karthik Kuppusamy < ***@***.***> wrote:
I've re-read the thread and feel like we could perhaps do with another
meeting about this. I can unblock us if we can't resolve it after another
round of discussion.
Sure, I am willing to do one more meeting.
I did spend a fair amount of time thinking about a way to explicitly
indicate that the metadata should be deleted, but could not think of a good
way to do so when considering clients that may miss updates over an
extended period.
Why not just set an explicit signal in the root metadata? You will always
pick it up when you rotate roots.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#150 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD2GZEQIBTO3B2XJALTUCTN63ANCNFSM4YG5OYRQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
| compromised and recovered, certain metadata files need to be deleted as | ||
| specified in this section. If a targets file is subjected to a | ||
| fast-forward attack, the snapshot role's keys should be replaced. Please see | ||
| [the Mercury paper](https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf) |
There was a problem hiding this comment.
| [the Mercury paper](https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf) | |
| [the Mercury paper](https://theupdateframework.io/papers/prevention-rollback-attacks-atc2017.pdf) |
Let's link to our own copies.
| [the Mercury paper](https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf) | ||
| for more details on fast-forward attacks. | ||
|
|
||
| 1. **Snapshot recovery** If the trusted snapshot metadata cannot be |
There was a problem hiding this comment.
Note: we don't clearly define what a trusted metadata file is, see #179. Given the implications via this PR and the importance of that term for rollback attack protection, we should address that.
| 1. **Snapshot recovery** If the trusted snapshot metadata cannot be | ||
| validated using a threshold of snapshot keys from the new trusted root | ||
| metadata, delete the trusted snapshot and timestamp metadata | ||
| files. |
There was a problem hiding this comment.
It would be great to have separate documentation for the repository workflow. Right now all the advise for managing a fast forward attack (and a lot of other pieces) is buried here in the client workflow.
💯 I've filed #186 to track this
The second issue is a nitpick and I don't expect you to change this as it uses language already in the spec but I'll mention it: my opinion is that we should stop talking about "deleting files", or at least make that a secondary aspect: what is important is that the client should not consider the metadata trusted anymore (in practice, we might want to say out loud why exactly we do this: the existing, now untrusted, metadata should not be used to do rollback checks on the new metadata)
Added this notion of changing from "delete file" to "stop trusting" to #103
Friends, but this is where and what we recommend in the Mercury paper. See "5.3 Recovering from a repository compromise" on page 7.
Mercury tells us "the online keys used to sign snapshot metadata can be revoked and replaced with new keys." and "The root-of-trust metadata indicates which keys can be trusted for verifying metadata files, including snapshot metadata files. This leads to a seamless and automatic recovery from fast-forward attacks after a repository compromise."
This seems to state that root metadata indicates which keys can be used for verifying trusted metadata. That is, that key rotation is the correct way to recover from fast-forward attacks and that rollback protection is only provided for top-level metadata which is trusted by the current root metadata.
| desired target.** Let DELEGATOR refer to the current | ||
| top-level targets metadata role. |
There was a problem hiding this comment.
| desired target.** Let DELEGATOR refer to the current | |
| top-level targets metadata role. | |
| desired target.** Let DELEGATOR refer to the | |
| top-level targets metadata role. |
At first I thought we were re-defining top-level targets metadata for each cycle, but then I realised by current you just mean the current trusted. I think that's implicit but either a) let's drop current or b) let's make it explicit
|
Just a related note here: we now have tests for all rollback attacks and all fast-forward recovery cases in python-tuf ngclient thanks to @kairoaraujo (search for "rollback" in https://github.com/theupdateframework/python-tuf/blob/develop/tests/test_updater_top_level_update.py) No ff-recovery specific rules are needed in the client. The only rule is: This directly leads to following matrix because of the rollback checks: (where "rotate" means that no previous, possibly fast forwarded, metadata is valid according to the new keys). I believe that is in line with this PR and I think the PR is an improvement... but I think long term the spec would be more useful to implementers if it was built around this idea (only ever use metadata that is signed with current threshold of current keys) and not specific individual rules (like if specific situation A then delete files B and C): The same advice can still be given but it would be easier to understand cause-and-effect and design good software. |
This is my attempted takeover of #86. Based on discussion in that pr, I decided to explicitly recommend that fast forward attack recovery for delegated targets roles requires replacement of snapshot keys. Specifically this pr:
It might be worth adding an ADR/other documentation about the possible methods for fast forward attack recovery and why this one was chosen.
cc @lukpueh @joshuagl @trishankatdatadog