Demo: Demonstrate protection against known Uptane attacks

[vladimir-v-diaz]

Uptane's reference implementation should provide scripts, or tests, that verify protection against the attacks covered in the Uptane Design Overview.

Section 7.3 of the design overview document lists the following attacks:

Eavesdrop
Drop-request
Slow retrieval
Freeze
Partial bundle installation
Rollback
Endless data
Mix-and-match
Arbitrary software
Remote exploit

In addition, the attacks blocked by TUF should also be shown to be prevented by Uptane. Other attacks not listed in the design document include:

Fast-forward
Extraneous
Wrong software installation
Vulnerability to key compromises

References: (1) blocking malicious attacks in the TUF reference implementation.

(2) TUF unit tests that demonstrate prevention of known updater attacks (they end in _attack.py)

[vladimir-v-diaz]

An idea we've entertained in the past is providing a tool that can be used for conformance testing with the specification. More information on conformance testing and how it can be done in TUF/Uptane is available in a pending TAP (TUF Augmentation Proposal): https://github.com/theupdateframework/taps/blob/tap7/tap7.md

[vladimir-v-diaz]

@awwad has provided setup notes on an attack we can show for the Uptane demo:

Compromised Director -- try rollback (fail; Defended w/ Sound Effect)

(?) Update Director key -- all is well, normal update( Updated screen, sound effect)

Compromise Supplier -- arbitrary package attack fails (Defended, sound effect)

Also Compromise Director -- arbitrary package attack succeeds (Compromised, cackling witch)

Update keys for Supplier (some button on the attack interface)

Restore Primary & Secondary (I guess clean_slate() --- command delivered on command line?)

Press button to build (same) evil Director bundle again -- arbitrary package attack now fails (even with malicious Director)

[awwad]

Not an attack - that was a sketch of multiple attacks from some emails Justin and I had exchanged.

The attacks in that list are basically:

1. Rollback attack w/ compromised Director
2. Arbitrary package attack w/ compromised Image Repository
3. Arbitrary package attack w/ compromised Image Repository and compromised Director (successful attack)

Recovery steps are included for a few of those.

The eventual goal is to cover in the demo each of the attacks you've described.

[vladimir-v-diaz]

Including another sketch provided by @awwad.

(Note that the ECUs are continuously updating, to no effect.)

    1. Assign normal update (Updated screen, sound effect)
    2. MITM - Arbitrary fails (*) (fake Director -- wifi icon on OEM/Director Interface? wifi emoji in script button "MITM")
    3. Compromised Director -- try rollback (fail; Defended w/ Sound Effect)
    4. (?) Update Director key -- all is well, normal update( Updated screen, sound effect)
    5. Compromise Supplier -- arbitrary package attack fails (Defended, sound effect)
    6. Also Compromise Director -- arbitrary package attack succeeds (Compromised, cackling witch)
    7. Update keys for Supplier (some button on the attack interface)
    8. Restore Primary & Secondary (I guess clean_slate() --- command delivered on command line?)
    9. Press button to build (same) evil Director bundle again -- arbitrary package attack now fails (even with malicious Director)

[awwad]

This issue was moved to uptane/uptane#26