Skip to content

Commit 509fd21

Browse files
lukpuehlukpueh
committed
Clarify recovery from ffwd on delegated targets
Akin to the recovery from fast-forward attacks on the top-level targets role, if a delegated targets role has been compromised, the previously trusted delegated targets metadata and the previously trusted snapshot metadata must be deleted. This must happen so that the rollback attack check (*), which makes sure that the version number of the new delegated targets is higher (or equal) than that of the old does not prevent updates after an ffwd attack. For the top-level targets metadata ffwd recovery logic is performed based on key removals in the root metadata and thus can happen before downloading the snapshot metadata. For delegated targets, on the other hand, where the keys are defined by delegating targets role(s) and not in the root metadata, ffwd recovery logic can only be performed after the delegating targets have been downloaded. (*) Note that there are two targets role rollback checks. One is based on the snapshot metadata, to fail early, i.e. before a potentially compromised (delegated) targets metadata is downloaded, and the other is based directly on the (delegated) targets metadata, so that an attacker needs to compromise snapshot and (delegated) targets keys, to successfully perform a rollback attack. This commit updates the client workflow according to above observations.
1 parent 123c06c commit 509fd21

File tree

1 file changed

+32
-21
lines changed

1 file changed

+32
-21
lines changed

tuf-spec.md

Lines changed: 32 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1194,14 +1194,13 @@ non-volatile storage as FILENAME.EXT.
11941194
metadata file, discard it, abort the update cycle, and report the potential
11951195
rollback attack.
11961196

1197-
* **3.3.3**. The version number of the targets metadata file, and all
1198-
delegated targets metadata files (if any), in the trusted snapshot metadata
1199-
file, if any, MUST be less than or equal to its version number in the new
1200-
snapshot metadata file. Furthermore, any targets metadata filename that was
1201-
listed in the trusted snapshot metadata file, if any, MUST continue to be
1202-
listed in the new snapshot metadata file. If any of these conditions are
1203-
not met, discard the new snaphot metadadata file, abort the update cycle,
1204-
and report the failure.
1197+
* **3.3.3**. The version number of the top-level targets metadata file, in
1198+
the trusted snapshot metadata file, if any, MUST be less than or equal to
1199+
its version number in the new snapshot metadata file. Furthermore, any
1200+
targets metadata filename that was listed in the trusted snapshot metadata
1201+
file, if any, MUST continue to be listed in the new snapshot metadata file.
1202+
If any of these conditions are not met, discard the new snaphot metadadata
1203+
file, abort the update cycle, and report the failure.
12051204

12061205
* **3.4**. **Check for a freeze attack.** The latest known time should be
12071206
lower than the expiration timestamp in the new snapshot metadata file. If
@@ -1260,7 +1259,18 @@ non-volatile storage as FILENAME.EXT.
12601259
* **4.5.2.1**. Let DELEGATE denote the current target role TARGETS is
12611260
delegating to.
12621261

1263-
* **4.5.2.2**. **Download the DELEGATE targets metadata file**, up to either
1262+
* **4.5.2.2**. **Fast-forward attack recovery.** If a threshold of
1263+
delegated targets keys for the current delegation are removed from the
1264+
TARGETS metadata, delete the trusted DELEGATE metadata, if any, and the
1265+
previously trusted snapshot metadata.
1266+
1267+
* **4.5.2.3**. **Check for a rollback attack via snapshot.** The version number of the
1268+
DELEGATE metadata in the previous trusted snapshot metadata, if any, MUST
1269+
be less than or equal to its version number in the new trusted snapshot
1270+
metadata. If this is not the case, abort the update cycle, and report the
1271+
potential rollback attack.
1272+
1273+
* **4.5.2.4**. **Download the DELEGATE targets metadata file**, up to either
12641274
the number of bytes specified in the snapshot metadata file, or some Z
12651275
number of bytes. The value for Z is set by the authors of the application
12661276
using TUF. For example, Z may be tens of kilobytes. IF DELEGATE cannot be
@@ -1273,39 +1283,40 @@ non-volatile storage as FILENAME.EXT.
12731283
in the snapshot metadata file. In either case, the client MUST write the
12741284
file to non-volatile storage as FILENAME.EXT.
12751285

1276-
* **4.5.2.3**. **Check against snapshot metadata.** The hashes (if any), and
1286+
* **4.5.2.5**. **Check against snapshot metadata.** The hashes (if any), and
12771287
version number of the new DELEGATE metadata file MUST match the trusted
1278-
snapshot metadata. This is done, in part, to prevent a mix-and-match
1288+
snapshot metadata, if any. This is done, in part, to prevent a mix-and-match
12791289
attack by man-in-the-middle attackers. If the new DELEGATE metadata file
12801290
does not match, abort the update cycle, and report the failure.
12811291

1282-
* **4.5.2.4**. **Check for an arbitrary software attack.** The new DELEGATE
1292+
* **4.5.2.6**. **Check for an arbitrary software attack.** The new DELEGATE
12831293
metadata file MUST have been signed by a threshold of keys specified in the
12841294
TARGETS metadata file. If the new DELEGATE metadata file is not signed
12851295
as required, abort the update cycle, and report the failure.
12861296

1287-
* **4.5.2.5**. **Check for a rollback attack.** The version number of the
1288-
trusted DELEGATE metadata file, if any, MUST be less than or equal to the
1289-
version number of the new DELEGATE metadata file. If the new DELEGATE
1290-
metadata file is older than the trusted DELEGATE metadata file, discard
1291-
it, abort the update cycle, and report the potential rollback attack.
1297+
* **4.5.2.7**. **Check for a rollback attack on the DELEGATE metadata.**
1298+
The version number of the trusted DELEGATE metadata file, if any, MUST be
1299+
less than or equal to the version number of the new DELEGATE metadata
1300+
file. If the new DELEGATE metadata file is older than the trusted
1301+
DELEGATE metadata file abort the update cycle, and report the potential
1302+
rollback attack.
12921303

1293-
* **4.5.2.6**. **Check for a freeze attack.** The latest known time
1304+
* **4.5.2.8**. **Check for a freeze attack.** The latest known time
12941305
should be lower than the expiration timestamp in the new DELEGATE
12951306
metadata file. If so, the new DELEGATE file becomes the trusted DELEGATE
12961307
file. If the new DELEGATE metadata file is expired, abort the update
12971308
cycle, and report the potential freeze attack.
12981309

1299-
* **4.5.2.7**. If the current delegation is a multi-role delegation,
1310+
* **4.5.2.9**. If the current delegation is a multi-role delegation,
13001311
recursively visit each role, and check that each has signed exactly the
13011312
same non-custom metadata (i.e., length and hashes) about the target (or
13021313
the lack of any such metadata). Otherwise, abort the update cycle, and
13031314
report the failure.
13041315

1305-
* **4.5.2.8**. If the current delegation is a terminating delegation,
1316+
* **4.5.2.10**. If the current delegation is a terminating delegation,
13061317
then jump to step 5.
13071318

1308-
* **4.5.2.9**. Otherwise, if the current delegation is a non-terminating
1319+
* **4.5.2.11**. Otherwise, if the current delegation is a non-terminating
13091320
delegation, continue processing the next delegation, if any, by repeating
13101321
step 4.5 with DELEGATE as the current TARGET role. Stop the search, and
13111322
jump to step 5 as soon as a delegation returns a result.

0 commit comments

Comments
 (0)