Fast-forward recovery and rollback prevention #85
Conversation
There was a problem hiding this comment.
Thanks a lot, @mnm678? This PR does most of what we agreed on in #71 (comment) ff, i.e. reverting #65, and clarifying, which metadata needs to be deleted/untrusted when, in order to recover from fast forward attack. Please address my inline comments and we can merge this. (unless someone else has reservations, cc @JustinCappos, @trishankatdatadog)
We should also update/review/merge @erickt's #72, which clarifies that version increment checks must also be performed on delegated targets metadata.
tuf-spec.md
Outdated
| * **1.9**. **Fast-forward attack recovery** A _fast-forward attack_ happens | ||
| when attackers arbitrarily increase the version numbers of: (1) the timestamp | ||
| metadata, (2) the snapshot metadata, and / or (3) the targets, or a delegated | ||
| targets, metadata file in the snapshot metadata. To recover from fast-forward |
There was a problem hiding this comment.
We need to remove "in the snapshot metadata" or clarify. Because attackers can also perform ffwd attacks, if they increase the version number of snapshot in timestamp, or if they increase a version number on any metadata file directly.
|
@lukpueh Thanks for the review! I addressed your comments. |
tuf-spec.md
Outdated
| for more details. | ||
|
|
||
| * **1.9.1**. **Targets recovery** If a threshold of targets keys are removed | ||
| from the root metadata, delete the old targets, snapshot, and timestamp |
There was a problem hiding this comment.
I think it's fairly clear, but you could make it clearer that you mean the top-level targets file, and not any delegated targets file?
tuf-spec.md
Outdated
| lower than the expiration timestamp in the new targets metadata file. If so, | ||
| the new targets metadata file becomes the trusted targets metadata file. If | ||
| the new targets metadata file is expired, discard it, abort the update cycle, | ||
| and report the potential freeze attack. | ||
|
|
||
| * **4.4**. **Perform a preorder depth-first search for metadata about the | ||
| * **4.5**. **Fast-forward attack recovery** If a threshold of delegated |
There was a problem hiding this comment.
Good check, but we can't do this before the subsequent preorder DFS, no?
There was a problem hiding this comment.
Good catch, this check should happen during the DFS, maybe as 4.6.2.1
There was a problem hiding this comment.
Good catch indeed, @trishankatdatadog. Do you guys think it is clear that the "delegating targets metadata" (as now mentioned in 4.5.2.1) can also be the top-level targets metadata? Or should we add a clarification?
There was a problem hiding this comment.
Always better to clarify, in my humble experience!
There was a problem hiding this comment.
I agree, it's better to be clear. I'll add a note
Clarify what files to delete in various situations to recover from a fast-forward attack. In addition, this adds additional rollback protection in the event of a timestamp compromise.
|
@mnm678, I took the liberty to untangle the commit history a bit. It seems like there are a bunch of duplicate commits from this PR and also from prior PRs due to a merge. So I undid your merge by hard resetting to one of the merge commits' parents (i.e. db9b54b), and cherry-picked the commit that was missing (i.e. c2aa515) onto it. I also did some interactive rebasing to clean up the commit messages and squash in the one UI commit. You can replace your branch with my cleaned up version with these commands: # Fetch my version of your branch
git fetch [email protected]:lukpueh/specification.git fast_forward-lp:fast_forward-lp
# Go to your branch (if you're not already on it)
git checkout fast_forward
# Optionally diff it with mine to see that it's indeed the same contents
git diff fast_forward-lp
# Replace yours with mine
git reset --hard fast_forward-lp
# Force push to update the branch on GitHub
# (you might have to change "origin" to whatever points to [email protected]:mnm678/specification.git)
git push origin fast_foward -f |
tuf-spec.md
Outdated
| * **4.5.2.1**. **Fast-forward attack recovery** If a threshold of | ||
| delegated targets keys for the current delegation are removed from the | ||
| delegating targets metadata, delete the old delegated targets metadata for | ||
| the current delegation along with the snapshot and timestamp metadata. |
There was a problem hiding this comment.
Why the snapshot and timestamp again here?
There was a problem hiding this comment.
If there was a fast forward attack, the snapshot would contain the fast-forwarded version number of the delegated targets file
|
Superseded by #86 |
Addresses part of #71
Clarify how and when to delete targets, snapshot, and timestamp metadata to recover from a fast-forward attack. In addition, adds an additional rollback check to prevent a rollback attack in the event of a timestamp compromise.