Skip to content

Commit ca2fb96

Browse files
lukpuehlukpueh
committed
Clarify recovery from ffwd on delegated targets
Akin to the recovery from fast-forward attacks on the top-level targets role, if a delegated targets role has been compromised, the previously trusted delegated targets metadata and the previously trusted snapshot metadata must be deleted. This must happen so that the rollback attack check (*), which makes sure that the version number of the new delegated targets is higher (or equal) than that of the old does not prevent updates after an ffwd attack. For the top-level targets metadata ffwd recovery logic is performed based on key removals in the root metadata and thus can happen before downloading the snapshot metadata. For delegated targets, on the other hand, where the keys are defined by delegating targets role(s) and not in the root metadata, ffwd recovery logic can only be performed after the delegating targets have been downloaded. (*) Note that there are two targets role rollback checks. One is based on the snapshot metadata, to fail early, i.e. before a potentially compromised (delegated) targets metadata is downloaded, and the other is based directly on the (delegated) targets metadata, so that an attacker needs to compromise snapshot and (delegated) targets keys, to successfully perform a rollback attack. This commit updates the client workflow according to above observations.
1 parent 9a5fd8c commit ca2fb96

File tree

1 file changed

+32
-21
lines changed

1 file changed

+32
-21
lines changed

tuf-spec.md

Lines changed: 32 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1200,14 +1200,13 @@ non-volatile storage as FILENAME.EXT.
12001200
metadata file, discard it, abort the update cycle, and report the potential
12011201
rollback attack.
12021202

1203-
* **3.3.3**. The version number of the targets metadata file, and all
1204-
delegated targets metadata files (if any), in the trusted snapshot metadata
1205-
file, if any, MUST be less than or equal to its version number in the new
1206-
snapshot metadata file. Furthermore, any targets metadata filename that was
1207-
listed in the trusted snapshot metadata file, if any, MUST continue to be
1208-
listed in the new snapshot metadata file. If any of these conditions are
1209-
not met, discard the new snaphot metadadata file, abort the update cycle,
1210-
and report the failure.
1203+
* **3.3.3**. The version number of the top-level targets metadata file, in
1204+
the trusted snapshot metadata file, if any, MUST be less than or equal to
1205+
its version number in the new snapshot metadata file. Furthermore, any
1206+
targets metadata filename that was listed in the trusted snapshot metadata
1207+
file, if any, MUST continue to be listed in the new snapshot metadata file.
1208+
If any of these conditions are not met, discard the new snaphot metadadata
1209+
file, abort the update cycle, and report the failure.
12111210

12121211
* **3.4**. **Check for a freeze attack.** The latest known time should be
12131212
lower than the expiration timestamp in the new snapshot metadata file. If
@@ -1267,7 +1266,18 @@ non-volatile storage as FILENAME.EXT.
12671266
* **4.5.2.1**. Let DELEGATE denote the current target role TARGETS is
12681267
delegating to.
12691268

1270-
* **4.5.2.2**. **Download the DELEGATE targets metadata file**, up to either
1269+
* **4.5.2.2**. **Fast-forward attack recovery.** If a threshold of
1270+
delegated targets keys for the current delegation are removed from the
1271+
TARGETS metadata, delete the trusted DELEGATE metadata, if any, and the
1272+
previously trusted snapshot metadata.
1273+
1274+
* **4.5.2.3**. **Check for a rollback attack via snapshot.** The version number of the
1275+
DELEGATE metadata in the previous trusted snapshot metadata, if any, MUST
1276+
be less than or equal to its version number in the new trusted snapshot
1277+
metadata. If this is not the case, abort the update cycle, and report the
1278+
potential rollback attack.
1279+
1280+
* **4.5.2.4**. **Download the DELEGATE targets metadata file**, up to either
12711281
the number of bytes specified in the snapshot metadata file, or some Z
12721282
number of bytes. The value for Z is set by the authors of the application
12731283
using TUF. For example, Z may be tens of kilobytes. IF DELEGATE cannot be
@@ -1280,39 +1290,40 @@ non-volatile storage as FILENAME.EXT.
12801290
in the snapshot metadata file. In either case, the client MUST write the
12811291
file to non-volatile storage as FILENAME.EXT.
12821292

1283-
* **4.5.2.3**. **Check against snapshot metadata.** The hashes (if any), and
1293+
* **4.5.2.5**. **Check against snapshot metadata.** The hashes (if any), and
12841294
version number of the new DELEGATE metadata file MUST match the trusted
1285-
snapshot metadata. This is done, in part, to prevent a mix-and-match
1295+
snapshot metadata, if any. This is done, in part, to prevent a mix-and-match
12861296
attack by man-in-the-middle attackers. If the new DELEGATE metadata file
12871297
does not match, abort the update cycle, and report the failure.
12881298

1289-
* **4.5.2.4**. **Check for an arbitrary software attack.** The new DELEGATE
1299+
* **4.5.2.6**. **Check for an arbitrary software attack.** The new DELEGATE
12901300
metadata file MUST have been signed by a threshold of keys specified in the
12911301
TARGETS metadata file. If the new DELEGATE metadata file is not signed
12921302
as required, abort the update cycle, and report the failure.
12931303

1294-
* **4.5.2.5**. **Check for a rollback attack.** The version number of the
1295-
trusted DELEGATE metadata file, if any, MUST be less than or equal to the
1296-
version number of the new DELEGATE metadata file. If the new DELEGATE
1297-
metadata file is older than the trusted DELEGATE metadata file, discard
1298-
it, abort the update cycle, and report the potential rollback attack.
1304+
* **4.5.2.7**. **Check for a rollback attack on the DELEGATE metadata.**
1305+
The version number of the trusted DELEGATE metadata file, if any, MUST be
1306+
less than or equal to the version number of the new DELEGATE metadata
1307+
file. If the new DELEGATE metadata file is older than the trusted
1308+
DELEGATE metadata file abort the update cycle, and report the potential
1309+
rollback attack.
12991310

1300-
* **4.5.2.6**. **Check for a freeze attack.** The latest known time
1311+
* **4.5.2.8**. **Check for a freeze attack.** The latest known time
13011312
should be lower than the expiration timestamp in the new DELEGATE
13021313
metadata file. If so, the new DELEGATE file becomes the trusted DELEGATE
13031314
file. If the new DELEGATE metadata file is expired, abort the update
13041315
cycle, and report the potential freeze attack.
13051316

1306-
* **4.5.2.7**. If the current delegation is a multi-role delegation,
1317+
* **4.5.2.9**. If the current delegation is a multi-role delegation,
13071318
recursively visit each role, and check that each has signed exactly the
13081319
same non-custom metadata (i.e., length and hashes) about the target (or
13091320
the lack of any such metadata). Otherwise, abort the update cycle, and
13101321
report the failure.
13111322

1312-
* **4.5.2.8**. If the current delegation is a terminating delegation,
1323+
* **4.5.2.10**. If the current delegation is a terminating delegation,
13131324
then jump to step 5.
13141325

1315-
* **4.5.2.9**. Otherwise, if the current delegation is a non-terminating
1326+
* **4.5.2.11**. Otherwise, if the current delegation is a non-terminating
13161327
delegation, continue processing the next delegation, if any, by repeating
13171328
step 4.5 with DELEGATE as the current TARGET role. Stop the search, and
13181329
jump to step 5 as soon as a delegation returns a result.

0 commit comments

Comments
 (0)