Skip to content

Commit f50f522

Browse files
lukpuehlukpueh
committed
Clarify recovery from ffwd on delegated targets
Akin to the recovery from fast-forward attacks on the top-level targets role, if a delegated targets role has been compromised, the previously trusted delegated targets metadata and the previously trusted snapshot metadata must be deleted. This must happen so that the rollback attack check (*), which makes sure that the version number of the new delegated targets is higher (or equal) than that of the old does not prevent updates after an ffwd attack. For the top-level targets metadata ffwd recovery logic is performed based on key removals in the root metadata and thus can happen before downloading the snapshot metadata. For delegated targets, on the other hand, where the keys are defined by delegating targets role(s) and not in the root metadata, ffwd recovery logic can only be performed after the delegating targets have been downloaded. (*) Note that there are two targets role rollback checks. One is based on the snapshot metadata, to fail early, i.e. before a potentially compromised (delegated) targets metadata is downloaded, and the other is based directly on the (delegated) targets metadata, so that an attacker needs to compromise snapshot and (delegated) targets keys, to successfully perform a rollback attack. This commit updates the client workflow according to above observations.
1 parent 9cbeb2a commit f50f522

File tree

1 file changed

+32
-21
lines changed

1 file changed

+32
-21
lines changed

tuf-spec.md

Lines changed: 32 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1198,14 +1198,13 @@ non-volatile storage as FILENAME.EXT.
11981198
metadata file, discard it, abort the update cycle, and report the potential
11991199
rollback attack.
12001200

1201-
* **3.3.3**. The version number of the targets metadata file, and all
1202-
delegated targets metadata files (if any), in the trusted snapshot metadata
1203-
file, if any, MUST be less than or equal to its version number in the new
1204-
snapshot metadata file. Furthermore, any targets metadata filename that was
1205-
listed in the trusted snapshot metadata file, if any, MUST continue to be
1206-
listed in the new snapshot metadata file. If any of these conditions are
1207-
not met, discard the new snaphot metadadata file, abort the update cycle,
1208-
and report the failure.
1201+
* **3.3.3**. The version number of the top-level targets metadata file, in
1202+
the trusted snapshot metadata file, if any, MUST be less than or equal to
1203+
its version number in the new snapshot metadata file. Furthermore, any
1204+
targets metadata filename that was listed in the trusted snapshot metadata
1205+
file, if any, MUST continue to be listed in the new snapshot metadata file.
1206+
If any of these conditions are not met, discard the new snaphot metadadata
1207+
file, abort the update cycle, and report the failure.
12091208

12101209
* **3.4**. **Check for a freeze attack.** The latest known time should be
12111210
lower than the expiration timestamp in the new snapshot metadata file. If
@@ -1264,7 +1263,18 @@ non-volatile storage as FILENAME.EXT.
12641263
* **4.5.2.1**. Let DELEGATE denote the current target role TARGETS is
12651264
delegating to.
12661265

1267-
* **4.5.2.2**. **Download the DELEGATE targets metadata file**, up to either
1266+
* **4.5.2.2**. **Fast-forward attack recovery.** If a threshold of
1267+
delegated targets keys for the current delegation are removed from the
1268+
TARGETS metadata, delete the trusted DELEGATE metadata, if any, and the
1269+
previously trusted snapshot metadata.
1270+
1271+
* **4.5.2.3**. **Check for a rollback attack via snapshot.** The version number of the
1272+
DELEGATE metadata in the previous trusted snapshot metadata, if any, MUST
1273+
be less than or equal to its version number in the new trusted snapshot
1274+
metadata. If this is not the case, abort the update cycle, and report the
1275+
potential rollback attack.
1276+
1277+
* **4.5.2.4**. **Download the DELEGATE targets metadata file**, up to either
12681278
the number of bytes specified in the snapshot metadata file, or some Z
12691279
number of bytes. The value for Z is set by the authors of the application
12701280
using TUF. For example, Z may be tens of kilobytes. IF DELEGATE cannot be
@@ -1277,39 +1287,40 @@ non-volatile storage as FILENAME.EXT.
12771287
in the snapshot metadata file. In either case, the client MUST write the
12781288
file to non-volatile storage as FILENAME.EXT.
12791289

1280-
* **4.5.2.3**. **Check against snapshot metadata.** The hashes (if any), and
1290+
* **4.5.2.5**. **Check against snapshot metadata.** The hashes (if any), and
12811291
version number of the new DELEGATE metadata file MUST match the trusted
1282-
snapshot metadata. This is done, in part, to prevent a mix-and-match
1292+
snapshot metadata, if any. This is done, in part, to prevent a mix-and-match
12831293
attack by man-in-the-middle attackers. If the new DELEGATE metadata file
12841294
does not match, abort the update cycle, and report the failure.
12851295

1286-
* **4.5.2.4**. **Check for an arbitrary software attack.** The new DELEGATE
1296+
* **4.5.2.6**. **Check for an arbitrary software attack.** The new DELEGATE
12871297
metadata file MUST have been signed by a threshold of keys specified in the
12881298
TARGETS metadata file. If the new DELEGATE metadata file is not signed
12891299
as required, abort the update cycle, and report the failure.
12901300

1291-
* **4.5.2.5**. **Check for a rollback attack.** The version number of the
1292-
trusted DELEGATE metadata file, if any, MUST be less than or equal to the
1293-
version number of the new DELEGATE metadata file. If the new DELEGATE
1294-
metadata file is older than the trusted DELEGATE metadata file, discard
1295-
it, abort the update cycle, and report the potential rollback attack.
1301+
* **4.5.2.7**. **Check for a rollback attack on the DELEGATE metadata.**
1302+
The version number of the trusted DELEGATE metadata file, if any, MUST be
1303+
less than or equal to the version number of the new DELEGATE metadata
1304+
file. If the new DELEGATE metadata file is older than the trusted
1305+
DELEGATE metadata file abort the update cycle, and report the potential
1306+
rollback attack.
12961307

1297-
* **4.5.2.6**. **Check for a freeze attack.** The latest known time
1308+
* **4.5.2.8**. **Check for a freeze attack.** The latest known time
12981309
should be lower than the expiration timestamp in the new DELEGATE
12991310
metadata file. If so, the new DELEGATE file becomes the trusted DELEGATE
13001311
file. If the new DELEGATE metadata file is expired, abort the update
13011312
cycle, and report the potential freeze attack.
13021313

1303-
* **4.5.2.7**. If the current delegation is a multi-role delegation,
1314+
* **4.5.2.9**. If the current delegation is a multi-role delegation,
13041315
recursively visit each role, and check that each has signed exactly the
13051316
same non-custom metadata (i.e., length and hashes) about the target (or
13061317
the lack of any such metadata). Otherwise, abort the update cycle, and
13071318
report the failure.
13081319

1309-
* **4.5.2.8**. If the current delegation is a terminating delegation,
1320+
* **4.5.2.10**. If the current delegation is a terminating delegation,
13101321
then jump to step 5.
13111322

1312-
* **4.5.2.9**. Otherwise, if the current delegation is a non-terminating
1323+
* **4.5.2.11**. Otherwise, if the current delegation is a non-terminating
13131324
delegation, continue processing the next delegation, if any, by repeating
13141325
step 4.5 with DELEGATE as the current TARGET role. Stop the search, and
13151326
jump to step 5 as soon as a delegation returns a result.

0 commit comments

Comments
 (0)