| < draft-ietf-suit-information-model-10.txt | draft-ietf-suit-information-model-11.txt > | |||
|---|---|---|---|---|
| SUIT B. Moran | SUIT B. Moran | |||
| Internet-Draft H. Tschofenig | Internet-Draft H. Tschofenig | |||
| Intended status: Informational Arm Limited | Intended status: Informational Arm Limited | |||
| Expires: September 20, 2021 H. Birkholz | Expires: October 8, 2021 H. Birkholz | |||
| Fraunhofer SIT | Fraunhofer SIT | |||
| March 19, 2021 | April 06, 2021 | |||
| A Manifest Information Model for Firmware Updates in IoT Devices | A Manifest Information Model for Firmware Updates in IoT Devices | |||
| draft-ietf-suit-information-model-10 | draft-ietf-suit-information-model-11 | |||
| Abstract | Abstract | |||
| Vulnerabilities with Internet of Things (IoT) devices have raised the | Vulnerabilities with Internet of Things (IoT) devices have raised the | |||
| need for a reliable and secure firmware update mechanism that is also | need for a reliable and secure firmware update mechanism that is also | |||
| suitable for constrained devices. Ensuring that devices function and | suitable for constrained devices. Ensuring that devices function and | |||
| remain secure over their service life requires such an update | remain secure over their service life requires such an update | |||
| mechanism to fix vulnerabilities, to update configuration settings, | mechanism to fix vulnerabilities, to update configuration settings, | |||
| as well as adding new functionality. | as well as adding new functionality. | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 20, 2021. | This Internet-Draft will expire on October 8, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 17 ¶ | skipping to change at page 3, line 17 ¶ | |||
| 4.2. Threat Descriptions . . . . . . . . . . . . . . . . . . . 17 | 4.2. Threat Descriptions . . . . . . . . . . . . . . . . . . . 17 | |||
| 4.2.1. THREAT.IMG.EXPIRED: Old Firmware . . . . . . . . . . 17 | 4.2.1. THREAT.IMG.EXPIRED: Old Firmware . . . . . . . . . . 17 | |||
| 4.2.2. THREAT.IMG.EXPIRED.OFFLINE : Offline device + Old | 4.2.2. THREAT.IMG.EXPIRED.OFFLINE : Offline device + Old | |||
| Firmware . . . . . . . . . . . . . . . . . . . . . . 18 | Firmware . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 4.2.3. THREAT.IMG.INCOMPATIBLE: Mismatched Firmware . . . . 18 | 4.2.3. THREAT.IMG.INCOMPATIBLE: Mismatched Firmware . . . . 18 | |||
| 4.2.4. THREAT.IMG.FORMAT: The target device misinterprets | 4.2.4. THREAT.IMG.FORMAT: The target device misinterprets | |||
| the type of payload . . . . . . . . . . . . . . . . . 19 | the type of payload . . . . . . . . . . . . . . . . . 19 | |||
| 4.2.5. THREAT.IMG.LOCATION: The target device installs the | 4.2.5. THREAT.IMG.LOCATION: The target device installs the | |||
| payload to the wrong location . . . . . . . . . . . . 19 | payload to the wrong location . . . . . . . . . . . . 19 | |||
| 4.2.6. THREAT.NET.REDIRECT: Redirection to inauthentic | 4.2.6. THREAT.NET.REDIRECT: Redirection to inauthentic | |||
| payload hosting . . . . . . . . . . . . . . . . . . . 19 | payload hosting . . . . . . . . . . . . . . . . . . . 20 | |||
| 4.2.7. THREAT.NET.ONPATH: Traffic interception . . . . . . . 20 | 4.2.7. THREAT.NET.ONPATH: Traffic interception . . . . . . . 20 | |||
| 4.2.8. THREAT.IMG.REPLACE: Payload Replacement . . . . . . . 20 | 4.2.8. THREAT.IMG.REPLACE: Payload Replacement . . . . . . . 20 | |||
| 4.2.9. THREAT.IMG.NON_AUTH: Unauthenticated Images . . . . . 20 | 4.2.9. THREAT.IMG.NON_AUTH: Unauthenticated Images . . . . . 21 | |||
| 4.2.10. THREAT.UPD.WRONG_PRECURSOR: Unexpected Precursor | 4.2.10. THREAT.UPD.WRONG_PRECURSOR: Unexpected Precursor | |||
| images . . . . . . . . . . . . . . . . . . . . . . . 21 | images . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 4.2.11. THREAT.UPD.UNAPPROVED: Unapproved Firmware . . . . . 21 | 4.2.11. THREAT.UPD.UNAPPROVED: Unapproved Firmware . . . . . 21 | |||
| 4.2.12. THREAT.IMG.DISCLOSURE: Reverse Engineering Of | 4.2.12. THREAT.IMG.DISCLOSURE: Reverse Engineering Of | |||
| Firmware Image for Vulnerability Analysis . . . . . . 23 | Firmware Image for Vulnerability Analysis . . . . . . 23 | |||
| 4.2.13. THREAT.MFST.OVERRIDE: Overriding Critical Manifest | 4.2.13. THREAT.MFST.OVERRIDE: Overriding Critical Manifest | |||
| Elements . . . . . . . . . . . . . . . . . . . . . . 23 | Elements . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 4.2.14. THREAT.MFST.EXPOSURE: Confidential Manifest Element | 4.2.14. THREAT.MFST.EXPOSURE: Confidential Manifest Element | |||
| Exposure . . . . . . . . . . . . . . . . . . . . . . 23 | Exposure . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 4.2.15. THREAT.IMG.EXTRA: Extra data after image . . . . . . 24 | 4.2.15. THREAT.IMG.EXTRA: Extra data after image . . . . . . 24 | |||
| 4.2.16. THREAT.KEY.EXPOSURE: Exposure of signing keys . . . . 24 | 4.2.16. THREAT.KEY.EXPOSURE: Exposure of signing keys . . . . 24 | |||
| 4.2.17. THREAT.MFST.MODIFICATION: Modification of manifest or | 4.2.17. THREAT.MFST.MODIFICATION: Modification of manifest or | |||
| payload prior to signing . . . . . . . . . . . . . . 24 | payload prior to signing . . . . . . . . . . . . . . 24 | |||
| 4.2.18. THREAT.MFST.TOCTOU: Modification of manifest between | 4.2.18. THREAT.MFST.TOCTOU: Modification of manifest between | |||
| authentication and use . . . . . . . . . . . . . . . 25 | authentication and use . . . . . . . . . . . . . . . 25 | |||
| 4.3. Security Requirements . . . . . . . . . . . . . . . . . . 25 | 4.3. Security Requirements . . . . . . . . . . . . . . . . . . 25 | |||
| 4.3.1. REQ.SEC.SEQUENCE: Monotonic Sequence Numbers . . . . 25 | 4.3.1. REQ.SEC.SEQUENCE: Monotonic Sequence Numbers . . . . 25 | |||
| 4.3.2. REQ.SEC.COMPATIBLE: Vendor, Device-type Identifiers . 26 | 4.3.2. REQ.SEC.COMPATIBLE: Vendor, Device-type Identifiers . 26 | |||
| 4.3.3. REQ.SEC.EXP: Expiration Time . . . . . . . . . . . . 26 | 4.3.3. REQ.SEC.EXP: Expiration Time . . . . . . . . . . . . 26 | |||
| 4.3.4. REQ.SEC.AUTHENTIC: Cryptographic Authenticity . . . . 26 | 4.3.4. REQ.SEC.AUTHENTIC: Cryptographic Authenticity . . . . 26 | |||
| 4.3.5. REQ.SEC.AUTH.IMG_TYPE: Authenticated Payload Type . . 27 | 4.3.5. REQ.SEC.AUTH.IMG_TYPE: Authenticated Payload Type . . 27 | |||
| 4.3.6. Security Requirement REQ.SEC.AUTH.IMG_LOC: | 4.3.6. Security Requirement REQ.SEC.AUTH.IMG_LOC: | |||
| Authenticated Storage Location . . . . . . . . . . . 27 | Authenticated Storage Location . . . . . . . . . . . 27 | |||
| 4.3.7. REQ.SEC.AUTH.REMOTE_LOC: Authenticated Remote Payload 27 | 4.3.7. REQ.SEC.AUTH.REMOTE_LOC: Authenticated Remote Payload 27 | |||
| 4.3.8. REQ.SEC.AUTH.EXEC: Secure Execution . . . . . . . . . 27 | 4.3.8. REQ.SEC.AUTH.EXEC: Secure Execution . . . . . . . . . 27 | |||
| 4.3.9. REQ.SEC.AUTH.PRECURSOR: Authenticated precursor | 4.3.9. REQ.SEC.AUTH.PRECURSOR: Authenticated precursor | |||
| images . . . . . . . . . . . . . . . . . . . . . . . 27 | images . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 4.3.10. REQ.SEC.AUTH.COMPATIBILITY: Authenticated Vendor and | 4.3.10. REQ.SEC.AUTH.COMPATIBILITY: Authenticated Vendor and | |||
| Class IDs . . . . . . . . . . . . . . . . . . . . . . 28 | Class IDs . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 4.3.11. REQ.SEC.RIGHTS: Rights Require Authenticity . . . . . 28 | 4.3.11. REQ.SEC.RIGHTS: Rights Require Authenticity . . . . . 28 | |||
| 4.3.12. REQ.SEC.IMG.CONFIDENTIALITY: Payload Encryption . . . 28 | 4.3.12. REQ.SEC.IMG.CONFIDENTIALITY: Payload Encryption . . . 28 | |||
| 4.3.13. REQ.SEC.ACCESS_CONTROL: Access Control . . . . . . . 29 | 4.3.13. REQ.SEC.ACCESS_CONTROL: Access Control . . . . . . . 29 | |||
| 4.3.14. REQ.SEC.MFST.CONFIDENTIALITY: Encrypted Manifests . . 29 | 4.3.14. REQ.SEC.MFST.CONFIDENTIALITY: Encrypted Manifests . . 29 | |||
| 4.3.15. REQ.SEC.IMG.COMPLETE_DIGEST: Whole Image Digest . . . 29 | 4.3.15. REQ.SEC.IMG.COMPLETE_DIGEST: Whole Image Digest . . . 29 | |||
| 4.3.16. REQ.SEC.REPORTING: Secure Reporting . . . . . . . . . 30 | 4.3.16. REQ.SEC.REPORTING: Secure Reporting . . . . . . . . . 30 | |||
| 4.3.17. REQ.SEC.KEY.PROTECTION: Protected storage of signing | 4.3.17. REQ.SEC.KEY.PROTECTION: Protected storage of signing | |||
| keys . . . . . . . . . . . . . . . . . . . . . . . . 30 | keys . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 4.3.18. REQ.SEC.MFST.CHECK: Validate manifests prior to | 4.3.18. REQ.SEC.MFST.CHECK: Validate manifests prior to | |||
| deployment . . . . . . . . . . . . . . . . . . . . . 30 | deployment . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 4.3.19. REQ.SEC.MFST.TRUSTED: Construct manifests in a | 4.3.19. REQ.SEC.MFST.TRUSTED: Construct manifests in a | |||
| trusted environment . . . . . . . . . . . . . . . . . 30 | trusted environment . . . . . . . . . . . . . . . . . 30 | |||
| 4.3.20. REQ.SEC.MFST.CONST: Manifest kept immutable between | 4.3.20. REQ.SEC.MFST.CONST: Manifest kept immutable between | |||
| check and use . . . . . . . . . . . . . . . . . . . . 30 | check and use . . . . . . . . . . . . . . . . . . . . 31 | |||
| 4.4. User Stories . . . . . . . . . . . . . . . . . . . . . . 31 | 4.4. User Stories . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 4.4.1. USER_STORY.INSTALL.INSTRUCTIONS: Installation | 4.4.1. USER_STORY.INSTALL.INSTRUCTIONS: Installation | |||
| Instructions . . . . . . . . . . . . . . . . . . . . 31 | Instructions . . . . . . . . . . . . . . . . . . . . 31 | |||
| 4.4.2. USER_STORY.MFST.FAIL_EARLY: Fail Early . . . . . . . 31 | 4.4.2. USER_STORY.MFST.FAIL_EARLY: Fail Early . . . . . . . 31 | |||
| 4.4.3. USER_STORY.OVERRIDE: Override Non-Critical Manifest | 4.4.3. USER_STORY.OVERRIDE: Override Non-Critical Manifest | |||
| Elements . . . . . . . . . . . . . . . . . . . . . . 32 | Elements . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 4.4.4. USER_STORY.COMPONENT: Component Update . . . . . . . 32 | 4.4.4. USER_STORY.COMPONENT: Component Update . . . . . . . 32 | |||
| 4.4.5. USER_STORY.MULTI_AUTH: Multiple Authorizations . . . 32 | 4.4.5. USER_STORY.MULTI_AUTH: Multiple Authorizations . . . 32 | |||
| 4.4.6. USER_STORY.IMG.FORMAT: Multiple Payload Formats . . . 33 | 4.4.6. USER_STORY.IMG.FORMAT: Multiple Payload Formats . . . 33 | |||
| 4.4.7. USER_STORY.IMG.CONFIDENTIALITY: Prevent Confidential | 4.4.7. USER_STORY.IMG.CONFIDENTIALITY: Prevent Confidential | |||
| skipping to change at page 17, line 12 ¶ | skipping to change at page 17, line 12 ¶ | |||
| Implements: REQ.USE.DELEGATION (Section 4.5.13) | Implements: REQ.USE.DELEGATION (Section 4.5.13) | |||
| 4. Security Considerations | 4. Security Considerations | |||
| The following sub-sections describe the threat model, user stories, | The following sub-sections describe the threat model, user stories, | |||
| security requirements, and usability requirements. This section also | security requirements, and usability requirements. This section also | |||
| provides the motivations for each of the manifest information | provides the motivations for each of the manifest information | |||
| elements. | elements. | |||
| Note that it is worthwhile to recall that a firmware update is, by | ||||
| definition, remote code execution. Hence, if a device is configured | ||||
| to trust an entity to provide firmware, it trusts this entity to do | ||||
| the "right thing". Many classes of attacks can be mitigated by | ||||
| verifying that a firmware update came from a trusted party and that | ||||
| no rollback is taking place. However, if the trusted entity has been | ||||
| compromised and distributes attacker-provided firmware to devices | ||||
| then the possibilities for deference are limited. | ||||
| 4.1. Threat Model | 4.1. Threat Model | |||
| The following sub-sections aim to provide information about the | The following sub-sections aim to provide information about the | |||
| threats that were considered, the security requirements that are | threats that were considered, the security requirements that are | |||
| derived from those threats and the fields that permit implementation | derived from those threats and the fields that permit implementation | |||
| of the security requirements. This model uses the S.T.R.I.D.E. | of the security requirements. This model uses the S.T.R.I.D.E. | |||
| [STRIDE] approach. Each threat is classified according to: | [STRIDE] approach. Each threat is classified according to: | |||
| o Spoofing identity | o Spoofing identity | |||
| skipping to change at page 27, line 29 ¶ | skipping to change at page 27, line 31 ¶ | |||
| The location on the target where the payload is to be stored MUST be | The location on the target where the payload is to be stored MUST be | |||
| authenticated. | authenticated. | |||
| Mitigates: THREAT.IMG.LOCATION (Section 4.2.5) | Mitigates: THREAT.IMG.LOCATION (Section 4.2.5) | |||
| Implemented by: Storage Location (Section 3.10) | Implemented by: Storage Location (Section 3.10) | |||
| 4.3.7. REQ.SEC.AUTH.REMOTE_LOC: Authenticated Remote Payload | 4.3.7. REQ.SEC.AUTH.REMOTE_LOC: Authenticated Remote Payload | |||
| The location where a target should find a payload MUST be | The location where a target should find a payload MUST be | |||
| authenticated. | authenticated. Remote resources need to receive an equal amount of | |||
| cryptographic protection as the manifest itself, when dereferencing | ||||
| URIs. The security considerations of Uniform Resource Identifiers | ||||
| (URIs) are applicable [RFC3986]. | ||||
| Mitigates: THREAT.NET.REDIRECT (Section 4.2.6), THREAT.NET.ONPATH | Mitigates: THREAT.NET.REDIRECT (Section 4.2.6), THREAT.NET.ONPATH | |||
| (Section 4.2.7) | (Section 4.2.7) | |||
| Implemented by: Payload Indicator (Section 3.12) | Implemented by: Payload Indicator (Section 3.12) | |||
| 4.3.8. REQ.SEC.AUTH.EXEC: Secure Execution | 4.3.8. REQ.SEC.AUTH.EXEC: Secure Execution | |||
| The target SHOULD verify firmware at time of boot. This requires | The target SHOULD verify firmware at time of boot. This requires | |||
| authenticated payload size, and digest. | authenticated payload size, and digest. | |||
| skipping to change at page 41, line 26 ¶ | skipping to change at page 41, line 26 ¶ | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | |||
| Information Models and Data Models", RFC 3444, | Information Models and Data Models", RFC 3444, | |||
| DOI 10.17487/RFC3444, January 2003, | DOI 10.17487/RFC3444, January 2003, | |||
| <https://www.rfc-editor.org/info/rfc3444>. | <https://www.rfc-editor.org/info/rfc3444>. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | ||||
| Resource Identifier (URI): Generic Syntax", STD 66, | ||||
| RFC 3986, DOI 10.17487/RFC3986, January 2005, | ||||
| <https://www.rfc-editor.org/info/rfc3986>. | ||||
| [STRIDE] Microsoft, "The STRIDE Threat Model", May 2018, | [STRIDE] Microsoft, "The STRIDE Threat Model", May 2018, | |||
| <https://msdn.microsoft.com/en-us/library/ | <https://msdn.microsoft.com/en-us/library/ | |||
| ee823878(v=cs.20).aspx>. | ee823878(v=cs.20).aspx>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Brendan Moran | Brendan Moran | |||
| Arm Limited | Arm Limited | |||
| EMail: Brendan.Moran@arm.com | EMail: Brendan.Moran@arm.com | |||
| End of changes. 12 change blocks. | ||||
| 10 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||