Skip to content

Client: Freeze attack issue - expiry of metadata may not be detected #322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
awwad opened this issue Feb 26, 2016 · 0 comments · Fixed by #324
Closed

Client: Freeze attack issue - expiry of metadata may not be detected #322

awwad opened this issue Feb 26, 2016 · 0 comments · Fixed by #324
Assignees
@awwad

Comments

@awwad
Copy link
Contributor

awwad commented Feb 26, 2016

TLDR: There's a scenario in which expiration of unchanged metadata files may not be detected.

There's a broken assumption in updater.py:

"Due to the way in which metadata files are updated, it is expected that 'referenced_metadata' is not out of date and trusted."

This is actually not true: It is not guaranteed that 'referenced_metadata' expiration is detected.

Expiration checks are currently conducted (ensure_not_expired) when the metadata file is downloaded. If no new metadata file is downloaded, no expiry check occurs. (Exception: root is checked for expiration at the beginning of each refresh() cycle, and timestamp is always checked because it is always fetched.) Snapshot and targets are never checked if the user does not have evidence that they have changed.

You can play this out in this scenario:

  • Malicious Mirror Mal with compromised timestamp key is the first repository in your list of repositories to check.
  • Every time you try to update, you get a new timestamp file from Mal, always pointing to an old version of snapshot. (Currently, this can be even be older than the version you currently hold (negative 1, say) due to Issue Client: When repo provides metadata w/ version < what client already has, that is not logged. #316.)
  • While you do validate the timestamp signature, you do NOT update snapshot or any of the targets, and you do NOT check any of those metadata files for expiry, and so you do NOT report such expiry to the user.

User never finds out if their snapshot or target* metadata expires (unless they actually fetch an expired version from a server) - only when their root expires (or someone discovers Mal and revokes that timestamp key and they finally move on to a new repository).

To fix this, an expiry check on the metadata you already have should be performed here, when a metadata file is found to not need to be downloaded.

.... As a separate issue, this kinda prompts me in the direction of wanting to fetch more than just the first repository's timestamp. That's a big design thing, though.
@awwad awwad self-assigned this Feb 26, 2016
awwad added a commit to awwad/tuf that referenced this issue Feb 26, 2016
@awwad
Fix theupdateframework#322 by detecting expiry of stale files. initia…
0f3c99e 
…l attempt
awwad added a commit to awwad/tuf that referenced this issue Feb 26, 2016
@awwad
Fix theupdateframework#322 by detecting expiry of stale files. initia…
08a0435 
…l attempt
@awwad awwad mentioned this issue Feb 26, 2016
Closed
@awwad awwad changed the title Freeze attack issue - expiry of metadata may not be detected Client - Freeze attack issue - expiry of metadata may not be detected Feb 29, 2016
@awwad awwad changed the title Client - Freeze attack issue - expiry of metadata may not be detected Client: Freeze attack issue - expiry of metadata may not be detected Feb 29, 2016
awwad added a commit to awwad/tuf that referenced this issue Mar 10, 2016
@awwad
This is a manual squash commit of detect_expiry_322, to avoid merge c…
66f5627 
…onflicts.

Comment lines from the individual commits include:
1. Fix theupdateframework#322 by detecting expiry of stale files. initial attempt
2. temp commit of files from Soma
3. removing freeze_attack_stale_expiry and leaving the test added to indefinite freeze attack
4. fixing indefinite freeze attack test: now incorporates old reject-freshly-downloaded-but-expired-timestamp test as well as reject-stale-already-present-but-expired-snapshot test
5. small refinements to indefinite freeze attack test
6. Pulled the recursion out of the except block in refresh() to avoid unprintable nested exceptions.
7. Added comments to the last commit (retry_once)
8. Merge pull request #1 from awwad/detect_expiry_322_temp (removing cruft in another branch)
@awwad awwad mentioned this issue Mar 10, 2016
Merged
@vladimir-v-diaz vladimir-v-diaz mentioned this issue Mar 17, 2016
Merged
@vladimir-v-diaz vladimir-v-diaz mentioned this issue Aug 8, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@awwad awwad

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #322 freeze attack by detecting expiry of stale metadata files awwad/tuf
1 participant
@awwad