|
1 | 1 | # <p align="center">The Update Framework Specification |
2 | 2 |
|
3 | | -Last modified: **31 January 2018** |
| 3 | +Last modified: **9 February 2018** |
4 | 4 |
|
5 | 5 | Version: **1.0 (Draft)** |
6 | 6 |
|
@@ -132,62 +132,62 @@ Version: **1.0 (Draft)** |
132 | 132 |
|
133 | 133 | - **1.5.2. Goals to protect against specific attacks** |
134 | 134 |
|
135 | | - Note: When saying the framework protects against an attack,it means |
136 | | - the attack will not be successful. It does not mean that a client will |
137 | | - always be able to successfully update during an attack. Fundamentally, an |
138 | | - attacker positioned to intercept and modify a client's communication will |
139 | | - always be able to perform a denial of service. The part we have control |
140 | | - over is not allowing an inability to update to go unnoticed. |
| 135 | + Note: When saying the framework protects against an attack, it means the |
| 136 | + attack will be unsuccessful. It does not mean that a client will always |
| 137 | + successfully update during an attack. Fundamentally, an attacker |
| 138 | + positioned to intercept and modify a client's communication can always |
| 139 | + perform a denial of service. Nevertheless, the framework must detect |
| 140 | + when a client is unable to update. |
141 | 141 |
|
142 | | - + **Arbitrary installation attacks.** An attacker installs anything they want on |
143 | | - the client system. That is, an attacker can provide arbitrary files in |
144 | | - response to download requests and the files will not be detected as |
145 | | - illegitimate. |
| 142 | + + **Arbitrary installation attacks.** An attacker cannot install anything |
| 143 | + they want on the client system. That is, an attacker cannot provide |
| 144 | + arbitrary files in response to download requests. |
146 | 145 |
|
147 | | - + **Endless data attacks.** Attackers should not be able to respond to client |
| 146 | + + **Endless data attacks.** An attacker cannot respond to client |
148 | 147 | requests with huge amounts of data (extremely large files) that interfere |
149 | 148 | with the client's system. |
150 | 149 |
|
151 | | - + **Extraneous dependencies attacks.** Attackers should not be able to cause |
152 | | - clients to download or install software dependencies that are not the |
153 | | - intended dependencies. |
154 | | - |
155 | | - + **Fast-forward attacks.** An attacker arbitrarily increases the version numbers |
156 | | - of project metadata files in the snapshot metadata well beyond the current |
157 | | - value, thus tricking a software update system into thinking any subsequent |
158 | | - updates are trying to rollback the package to a previous, out-of-date version. |
159 | | - In some situations, such as those where there is a maximum possible version |
160 | | - number, the perpetrator could use a number so high that the system would |
161 | | - never be able to match it with the one in the snapshot metadata, and thus |
162 | | - new updates could never be downloaded. |
163 | | - |
164 | | - + **Indefinite freeze attacks.** Attackers should not be able to respond to |
165 | | - client requests with the same, outdated metadata without the client being |
166 | | - aware of the problem. |
167 | | - |
168 | | - + **Malicious mirrors preventing updates.** Repository mirrors should be unable |
169 | | - to prevent updates from good mirrors. |
170 | | - |
171 | | - + **Mix-and-match attacks.** Attackers should not be able to trick clients into |
172 | | - using a combination of metadata that never existed together on the |
173 | | - repository at the same time. |
174 | | - |
175 | | - + **Rollback attacks.** Attackers should not be able to trick clients into |
176 | | - installing software that is older than that which the client previously knew |
177 | | - to be available. |
178 | | - |
179 | | - + **Slow retrieval attacks.** Attackers should not be able to prevent clients |
180 | | - from being aware of interference with receiving updates by responding to |
| 150 | + + **Extraneous dependencies attacks.** An attacker cannot cause clients |
| 151 | + to download or install software dependencies that are not the intended |
| 152 | + dependencies. |
| 153 | + |
| 154 | + + **Fast-forward attacks.** An attacker cannot arbitrarily increase the |
| 155 | + version numbers of metadata files, listed in the snapshot metadata, well |
| 156 | + beyond the current value and thus tricking a software update system into |
| 157 | + thinking any subsequent updates are trying to rollback the package to a |
| 158 | + previous, out-of-date version. In some situations, such as those where |
| 159 | + there is a maximum possible version number, the perpetrator cannot use a |
| 160 | + number so high that the system would never be able to match it with the |
| 161 | + one in the snapshot metadata, and thus new updates could never be |
| 162 | + downloaded. |
| 163 | + |
| 164 | + + **Indefinite freeze attacks.** An attacker cannot respond to client |
| 165 | + requests with the same, outdated metadata without the client being aware |
| 166 | + of the problem. |
| 167 | + |
| 168 | + + **Malicious mirrors preventing updates.** A repository mirror cannot |
| 169 | + prevent updates from good mirrors. |
| 170 | + |
| 171 | + + **Mix-and-match attacks.** An attacker cannot trick clients into using |
| 172 | + a combination of metadata that never existed together on the repository |
| 173 | + at the same time. |
| 174 | + |
| 175 | + + **Rollback attacks.** An attacker cannot trick clients into installing |
| 176 | + software that is older than that which the client previously knew to be |
| 177 | + available. |
| 178 | + |
| 179 | + + **Slow retrieval attacks.** An attacker cannot prevent clients from |
| 180 | + being aware of interference with receiving updates by responding to |
181 | 181 | client requests so slowly that automated updates never complete. |
182 | 182 |
|
183 | | - + **Vulnerability to key compromises.** An attacker who is able to compromise a |
184 | | - single key or less than a given threshold of keys can compromise clients. |
185 | | - This includes relying on a single online key (such as only being protected |
186 | | - by SSL) or a single offline key (such as most software update systems use to |
187 | | - sign files). |
| 183 | + + **Vulnerability to key compromises.** An attacker, who is able to |
| 184 | + compromise a single key or less than a given threshold of keys, cannot |
| 185 | + compromise clients. This includes compromising a single online key (such |
| 186 | + as only being protected by SSL) or a single offline key (such as most |
| 187 | + software update systems use to sign files). |
188 | 188 |
|
189 | | - + **Wrong software installation.** An attacker provides a client with a trusted |
190 | | - file that is not the one the client wanted. |
| 189 | + + **Wrong software installation.** An attacker cannot provide a file |
| 190 | + (trusted or untrusted) that is not the one the client wanted. |
191 | 191 |
|
192 | 192 | - **1.5.3. Goals for PKIs** |
193 | 193 |
|
|
0 commit comments