Demo: Demonstrate protection against known Uptane attacks

[awwad]

From @vladimir-v-diaz on March 7, 2017 20:58

Uptane's reference implementation should provide scripts, or tests, that verify protection against the attacks covered in the Uptane Design Overview.

Section 7.3 of the design overview document lists the following attacks:

Eavesdrop
Drop-request
Slow retrieval
Freeze
Partial bundle installation
Rollback
Endless data
Mix-and-match
Arbitrary software
Remote exploit

In addition, the attacks blocked by TUF should also be shown to be prevented by Uptane. Other attacks not listed in the design document include:

Fast-forward
Extraneous
Wrong software installation
Vulnerability to key compromises

References: (1) blocking malicious attacks in the TUF reference implementation.

(2) TUF unit tests that demonstrate prevention of known updater attacks (they end in _attack.py)

Copied from original issue: awwad/uptane#33

[awwad]

From @vladimir-v-diaz on March 7, 2017 20:58

An idea we've entertained in the past is providing a tool that can be used for conformance testing with the specification. More information on conformance testing and how it can be done in TUF/Uptane is available in a pending TAP (TUF Augmentation Proposal): https://github.com/theupdateframework/taps/blob/tap7/tap7.md

[awwad]

From @vladimir-v-diaz on March 7, 2017 21:0

@awwad has provided setup notes on an attack we can show for the Uptane demo:

Compromised Director -- try rollback (fail; Defended w/ Sound Effect)

(?) Update Director key -- all is well, normal update( Updated screen, sound effect)

Compromise Supplier -- arbitrary package attack fails (Defended, sound effect)

Also Compromise Director -- arbitrary package attack succeeds (Compromised, cackling witch)

Update keys for Supplier (some button on the attack interface)

Restore Primary & Secondary (I guess clean_slate() --- command delivered on command line?)

Press button to build (same) evil Director bundle again -- arbitrary package attack now fails (even with malicious Director)

[awwad]

Not an attack - that was a sketch of multiple attacks from some emails Justin and I had exchanged.

The attacks in that list are basically:

1. Rollback attack w/ compromised Director
2. Arbitrary package attack w/ compromised Image Repository
3. Arbitrary package attack w/ compromised Image Repository and compromised Director (successful attack)

Recovery steps are included for a few of those.

The eventual goal is to cover in the demo each of the attacks you've described.

[awwad]

From @vladimir-v-diaz on March 8, 2017 15:30

Including another sketch provided by @awwad.

(Note that the ECUs are continuously updating, to no effect.)

    1. Assign normal update (Updated screen, sound effect)
    2. MITM - Arbitrary fails (*) (fake Director -- wifi icon on OEM/Director Interface? wifi emoji in script button "MITM")
    3. Compromised Director -- try rollback (fail; Defended w/ Sound Effect)
    4. (?) Update Director key -- all is well, normal update( Updated screen, sound effect)
    5. Compromise Supplier -- arbitrary package attack fails (Defended, sound effect)
    6. Also Compromise Director -- arbitrary package attack succeeds (Compromised, cackling witch)
    7. Update keys for Supplier (some button on the attack interface)
    8. Restore Primary & Secondary (I guess clean_slate() --- command delivered on command line?)
    9. Press button to build (same) evil Director bundle again -- arbitrary package attack now fails (even with malicious Director)

[awwad]

While the attack scheme described is now covered in the existing demo, there are always more attacks that can be added, including some from the list at the top of this issue.