Open awwad opened 7 years ago
From @vladimir-v-diaz on March 7, 2017 20:58
An idea we've entertained in the past is providing a tool that can be used for conformance testing with the specification. More information on conformance testing and how it can be done in TUF/Uptane is available in a pending TAP (TUF Augmentation Proposal): https://github.com/theupdateframework/taps/blob/tap7/tap7.md
From @vladimir-v-diaz on March 7, 2017 21:0
@awwad has provided setup notes on an attack we can show for the Uptane demo:
Compromised Director -- try rollback (fail; Defended w/ Sound Effect)
(?) Update Director key -- all is well, normal update( Updated screen, sound effect)
Compromise Supplier -- arbitrary package attack fails (Defended, sound effect)
Also Compromise Director -- arbitrary package attack succeeds (Compromised, cackling witch)
Update keys for Supplier (some button on the attack interface)
Restore Primary & Secondary (I guess clean_slate() --- command delivered on command line?)
Press button to build (same) evil Director bundle again -- arbitrary package attack now fails (even with malicious Director)
Not an attack - that was a sketch of multiple attacks from some emails Justin and I had exchanged.
The attacks in that list are basically:
Recovery steps are included for a few of those.
The eventual goal is to cover in the demo each of the attacks you've described.
From @vladimir-v-diaz on March 8, 2017 15:30
Including another sketch provided by @awwad.
(Note that the ECUs are continuously updating, to no effect.)
1. Assign normal update (Updated screen, sound effect) 2. MITM - Arbitrary fails (*) (fake Director -- wifi icon on OEM/Director Interface? wifi emoji in script button "MITM") 3. Compromised Director -- try rollback (fail; Defended w/ Sound Effect) 4. (?) Update Director key -- all is well, normal update( Updated screen, sound effect) 5. Compromise Supplier -- arbitrary package attack fails (Defended, sound effect) 6. Also Compromise Director -- arbitrary package attack succeeds (Compromised, cackling witch) 7. Update keys for Supplier (some button on the attack interface) 8. Restore Primary & Secondary (I guess clean_slate() --- command delivered on command line?) 9. Press button to build (same) evil Director bundle again -- arbitrary package attack now fails (even with malicious Director)
While the attack scheme described is now covered in the existing demo, there are always more attacks that can be added, including some from the list at the top of this issue.
From @vladimir-v-diaz on March 7, 2017 20:58
Uptane's reference implementation should provide scripts, or tests, that verify protection against the attacks covered in the Uptane Design Overview.
Section 7.3 of the design overview document lists the following attacks:
In addition, the attacks blocked by TUF should also be shown to be prevented by Uptane. Other attacks not listed in the design document include:
References: (1) blocking malicious attacks in the TUF reference implementation.
(2) TUF unit tests that demonstrate prevention of known updater attacks (they end in
_attack.py
)Copied from original issue: awwad/uptane#33