Check timestamp/snapshot contains snapshot/targets description #226
Conversation
The [timestamp.json] states that the timestamp `meta` section MUST only contain a description of the snapshot.json file. However, [updating the timestamp role] does not describe when to perform this verification. Similarly, the [snapshot.json] states that the snapshot `meta` section MUST contain a description of the targets.json file, which is also not described in [updating the snapshot role]. This patch explicitly states that these checks should be performed, and that the metadata should be rejected if it is missing these entries. [timestamp.json]: https://theupdateframework.github.io/specification/v1.0.30/#file-formats-timestamp [updating the timestamp role]: https://theupdateframework.github.io/specification/v1.0.30/#update-timestamp [snapshot.json]: https://theupdateframework.github.io/specification/v1.0.30/#file-formats-snapshot [updating the snapshot role]: https://theupdateframework.github.io/specification/v1.0.30/#update-snapshot
erickt
changed the title
tuf-spec.md
Outdated
| 5. **Check for a rollback attack**. | ||
|
|
||
| 1. The new snapshot metadata file MUST contain the description of the targets | ||
| metadata file. If not, discard the new snapshot metadata file, abort the |
There was a problem hiding this comment.
| metadata file. If not, discard the new snapshot metadata file, abort the | |
| metadata files (the top-level targets.EXT and all delegated roles.) If not, discard the | |
| new snapshot metadata file, abort the |
Clarifying that this includes all targets files.
tuf-spec.md
Outdated
| the update cycle, and report the failure. | ||
| 5. **Check for a rollback attack**. | ||
|
|
||
| 1. The new snapshot metadata file MUST contain the description of the targets |
There was a problem hiding this comment.
| 1. The new snapshot metadata file MUST contain the description of the targets | |
| 1. The new snapshot metadata file MUST contain the version numbers of the targets |
The listed item is the version numbers, not a description.
There was a problem hiding this comment.
I assume that "description" was used as a short-hand for the version plus optional length and hashes (fields in a METAFILES object)? As this terminology is not used elsewhere we should certainly be more exploit here.
There was a problem hiding this comment.
Perhaps we could say
The new snapshot metadata file's
METAFILESobject MUST list all targets metadata (top-level targets.EXT all all delegated roles) including their version numbers, optionally their length and optionally their hashes. If not, discard the new snapshot metadata file, abort the
etc.
There was a problem hiding this comment.
I fleshed this out more, with links back to the definitions. How does it read?
tuf-spec.md
Outdated
| 2. The new timestamp metadata file MUST only contain the description of the | ||
| snapshot metadata file. If not, discard the new snapshot metadata file, | ||
| abort the cycle, and report the failure. |
There was a problem hiding this comment.
Just to be clear, here we're checking that timestamp's meta lists only snapshot?
Similar use of the new keyword "description" here, WDYT to changing that to "METAFILES object"?
(I've also changes snapshot -> timestamp in the "discard ..." statement)
| 2. The new timestamp metadata file MUST only contain the description of the | |
| snapshot metadata file. If not, discard the new snapshot metadata file, | |
| abort the cycle, and report the failure. | |
| 2. The new timestamp metadata file's `METAFILES` object MUST only contain the | |
| snapshot metadata file. If not, discard the new timestamp metadata file, | |
| abort the cycle, and report the failure. |
There was a problem hiding this comment.
I used the term description from https://theupdateframework.github.io/specification/latest/#file-formats-timestamp, but I agree it's a little vague. I like yours better.
tuf-spec.md
Outdated
| the update cycle, and report the failure. | ||
| 5. **Check for a rollback attack**. | ||
|
|
||
| 1. The new snapshot metadata file MUST contain the description of the targets |
There was a problem hiding this comment.
I assume that "description" was used as a short-hand for the version plus optional length and hashes (fields in a METAFILES object)? As this terminology is not used elsewhere we should certainly be more exploit here.
tuf-spec.md
Outdated
| 2. The new timestamp metadata file MUST only contain the description of the | ||
| snapshot metadata file. If not, discard the new snapshot metadata file, | ||
| abort the cycle, and report the failure. |
There was a problem hiding this comment.
I used the term description from https://theupdateframework.github.io/specification/latest/#file-formats-timestamp, but I agree it's a little vague. I like yours better.
tuf-spec.md
Outdated
| the update cycle, and report the failure. | ||
| 5. **Check for a rollback attack**. | ||
|
|
||
| 1. The new snapshot metadata file MUST contain the description of the targets |
There was a problem hiding this comment.
I fleshed this out more, with links back to the definitions. How does it read?
|
I just read through README.rst, and it looks like I was supposed to submit this against the |
|
|
||
| 1. The [=metapath/LENGTH=] in the new timestamp metadata file, if any, MUST | ||
| be equal to the [=metapath/LENGTH=] in the trusted timestamp file, if any. | ||
| If not, discard the new timestamp metadata file, abort the cycle, and |
There was a problem hiding this comment.
Why do we discard the new timestamp metadata? Could an attacker later roll back the timestamp file?
There was a problem hiding this comment.
I'm not sure if it's necessarily resisting an attack, but more about enabling the optimization where we can skip downloading metadata if we already have it locally without putting our local trusted metadata in an inconsistent state (such as in #114 and #227).
It might be helpful if we work with an example. Say we have locally trusted metadata, with Timestamp T1 and Snapshot S1, which is at version N. The remote repository is at Timestamp T1 and Snapshot S2, which also is at version N.
When we perform a client update, we will:
- Download T2
- Verify it was signed correctly
- Verify that T2's snapshot description's version >= the trusted snapshot S1's version
At this point we could decide that we we already have the trusted Snapshot S1, so we could abort the update workflow. However this would be incorrect, because it's possible that Snapshot S2 could have different content than Snapshot S1. If Timestamp T2 contains the optional length and/or hashes of Snapshot S2. This means that if we create a brand new client based off the local trusted metadata, we cannot use the length/hashes from Timestamp T2 to verify Snapshot S1. This would then force us to throw away the Snapshot S1 and download the new S2 version.
This patch tries to avoid this issue by enforcing that we cannot get into this state by treating Timestamp T2 as invalid, since it doesn't match what we already trust.
This would be especially handy if we implement transactional downloading of metadata in #69 to make sure the local metadata doesn't get into an incomplete state.
There was a problem hiding this comment.
The remote repository is at Timestamp T1 and Snapshot S2, which also is at version N.
Did you mean T2? You do say the client downloads T2 below. I assume this is a typo here?
Just to make sure, do I understand correctly that in your example:
- T1 describes S1
- T2 describes S2
- T2 has a higher version than T1
- S2 has the same version as S1
- S2 and S1 have different contents
This implies that the repo has incorrectly updated snapshot and timestamp, without bumping snapshot's version number, right?
Following you proposal, the client that already trusts T1 and S1 can only update, if the repo issues a new T2 (or higher) describing a new S2, with a version number higher than S1. Is that correct? If so, I think it's fair.
|
|
||
| 2. For each entry in the new timestamp metadata file's [=metapath/HASHES=] | ||
| dictionary, if the key is present in the trusted timestamp metadata file, | ||
| the values MUST be equal. If not, discard the new timestamp metadata |
There was a problem hiding this comment.
Same comment as above here.
There was a problem hiding this comment.
This was covered in the above comment, so lets track it there.
| 1. The new snapshot metadata file's [=METAFILES=] object MUST contain a | ||
| [=snapshot/METAPATH=] entry for the targets metadata file, and all delegated targets | ||
| metadata files, if any, in the trusted snapshot metadata file. If not, | ||
| discard the new snapshot metadata file, abort the cycle, and report the |
There was a problem hiding this comment.
Do we need to discard the snapshot file in this case? Why?
There was a problem hiding this comment.
This was covered in the above comment, so lets track it there.
The README says:
So this should be fine. |
The timestamp.json states that the timestamp
metasection MUST only contain a description of the snapshot.json file. However, updating the timestamp role does not describe when to perform this verification.Similarly, the snapshot.json states that the snapshot
metasection MUST contain a description of the targets.json file, which is also not described in updating the snapshot role.This patch explicitly states that these checks should be performed, and that the metadata should be rejected if it is missing these entries.