Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer

Size: px

Start display at page:

Download "Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer"

Loren Lynch
5 years ago
Views:

1 Securing Software Updates for IoT Devices with TUF and Uptane Ricardo Salveti Principal Engineer

2 Foundries.io

3 Foundries.io Established October, 2017 Backgrounds in Spin-out from, and funded by, Linaro Ltd. Team formerly known as Linaro Technologies Division Embedded Systems, (Linux, RTOS, PC BIOS, Windows, Android) Linux Distributions Consumer, Commercial, Military, Commercial Aviation Product Development Web Frameworks Advanced CI (LAVA, KernelCI.org) Offers secure, over-the-air updatable software platforms for connected products Linux microplatform Zephyr microplatform

4 Why are updates critical for IoT?

6 Need for Updates with IoT Connected devices exposing a substantial attack surface Common to see poor development practices Common to have poor default user/password Ship and forget Transmitted data not always encrypted (e.g. TLS) Bugs and vulnerabilities will happen Issues can happen at any piece of the stack, including hardware Updates are critical for reacting and fixing issues as they arise

7 "Just use traditional update systems!"

9 Common Update Threats Arbitrary installation attacks Endless data attacks Extraneous dependencies attacks Fast-forward attacks Indefinite freeze attacks Malicious mirrors preventing updates Mix-and-match attacks Rollback attacks Slow retrieval attacks Vulnerability to key compromises Wrong software installation

Problems with traditional Update Systems TLS Only secures the communication Doesn't say anything about the server Online Key Single point of failure GPG

10 Problems with traditional Update Systems TLS Only secures the communication Doesn't say anything about the server Online Key Single point of failure GPG Offline key, but need for frequent updates makes it online Trust for anything usually implies trust for everything Key compromise can compromise the entire system

11 The Update Framework - TUF

12 The Update Framework Framework for securing software update systems Created and maintained by Justin Cappos (assistant professor at NYU) Largely based on Thandy, Tor's application updater Designed to be compromise resilient Provides multiple roles and signed metadata (JSON) A software update system is secure if it can be sure that it knows about the latest available updates in a timely manner, any ﬁles it downloads are the correct ﬁles, and no harm results from checking or downloading ﬁles.

13 TUF: Design Principles Multiple Roles Responsibility Separation Multi-signature Trust Allows Roles Delegation Threshold Signatures Minimize Individual Key and Role Risk Explicit and Implicit Key Revocation

14 TUF: Roles Overview Root Targets Snapshot Timestamp (root of trust) (integrity) (consistency) (freshness)

$json (root of trust) { "_type" : "root", "spec_version" : SPEC_VERSION, "version" : VERSION, "expires" : EXPIRES, "keys" : {$

15 TUF: Roles Overview Root /root.json (root of trust) { "_type" : "root", "spec_version" : SPEC_VERSION, "version" : VERSION, "expires" : EXPIRES, "keys" : { KEYID : KEY,... }, "roles" : { ROLE : { "keyids" : [ KEYID,... ], "threshold" : THRESHOLD },... } }

$json (integrity) { "_type" : "targets", "spec_version" : SPEC_VERSION, "version" : VERSION, "expires" : EXPIRES, "targets" :$

16 TUF: Roles Overview Targets /targets.json (integrity) { "_type" : "targets", "spec_version" : SPEC_VERSION, "version" : VERSION, "expires" : EXPIRES, "targets" : { TARGETPATH : { "length" : LENGTH, "hashes" : HASHES, }, ("delegations" : DELEGATIONS) }

$json (consistency) { "_type" :$ "snapshot", "spec_version" :

17 TUF: Roles Overview Snapshot /snapshot.json (consistency) { "_type" : "snapshot", "spec_version" : SPEC_VERSION, "version" : VERSION, "expires" : EXPIRES, "meta" : { "root.json": { "version": 1 }, "targets.json": { "version": 1 }, }, }

$json (freshness) { "_type" : "timestamp",$ "spec_version" : SPEC_VERSION, "version" :

"snapshot.json": { "hashes": { "sha256": ".

18 TUF: Roles Overview Timestamp /timestamp.json (freshness) { "_type" : "timestamp", "spec_version" : SPEC_VERSION, "version" : VERSION, "expires" : EXPIRES, "meta" : { "snapshot.json": { "hashes": { "sha256": "..." }, "length": LENGTH, "version": 1 } }, }, }

signs for images *.img A2 A.img A. * A1 snapshot targets B.

19 TUF: Design Principles for a Repository signs metadata for metadata images signs root keys for delegates images to root signs for images *.img A2 A.img A. * A1 snapshot targets B.img *, B. timestamp * C. ε BC C.img SOTA #5: Uptane Design Overview

20 Uptane

Difficulties applying TUF to IoT and Automotive TUF only

customized view based on the client needs How to manage

Cell Network Primary Client SecondarySecondary Secondary

21 Difficulties applying TUF to IoT and Automotive TUF only offers one secure view to a repository No way to provide a customized view based on the client needs How to manage devices composed by multiple computing units (ECUs)? Cell Network Primary Client SecondarySecondary Secondary Secondary Secondary Secondary Secondary Secondary Secondary Secondary Secondary Secondary

22 Uptane: TUF Extended for Automotive Software update security system developed by New York University, University of Michigan and Southwest Research Institute Multiple Repositories: Director and Image Repository Primary and Secondary Clients Timeserver Full and Partial Verification

23 Primary Uptane: Director Repository Records vehicle version manifests Determines which ECUs install which images Produces different metadata for different vehicles May encrypt images per ECU Has access to an inventory database vehicle repository (5 )d ow (1) sends vehicle version manifest nl o (4) receives link to timestamp metadata ad s (3) Automated process (2) reads & writes Inventory database w r i t e s timestamp metadata snapshot metadata targets metadata encrypted image

24 signs metadata for Uptane: Image Repository signs root keys for delegates images to signs for images OEM-managed supplier-managed A A1.img A*.im g root timestamp snapshot targets B*.img B B3.img C*.im When possible, OEM delegates updates for ECUs to suppliers Delegations are flexible, and accommodate a variety of arrangements g.img C CA* CB *.im g Metadata D CA5.img E CB2.img

25 Integrating TUF / Uptane

26 OpenEmbedded / Yocto Meta-Updater Layer Enables TUF / Uptane over-the-air updates with OSTree and Aktualizr Used by Linux microplatform by default Aktualizr Implements Uptane specification Controls the actual device update process OSTree supported by default Additional packaging / image targets can be implemented

27 OTA Community Edition Open-source server software to allow over-the-air updates Implements the server side of the Uptane specification Microservice based Implements OSTree-compatible repository Aktualizr as default client Components can be easily replaced if needed Foundries.io provides a customized UI REST API exposed, additional clients can be easily supported

30 Related Projects In-toto Framework to protect supply chain integrity

31 Thank You!

32 Backup Slides

33 microplatforms

tested) As close to tip as possible Little

merge-ups We believe that the most secure

34 microplatforms - OS / Distributions Upstream, open source software microplatforms are built directly from upstream open source projects Stabilized and tested for connected IoT use-case Continuous updates (integrated & fully tested) As close to tip as possible Little or no non-upstream code Continuous merge-ups We believe that the most secure and stable software is upstream software It s open source, there is No proprietary Lock-in

35 Linux microplatform - the OS for embedded systems Customer Application OTA Managed Containers Optional Legacy distribution or Safety Critical RTOS Container Management microplatform Services Unified Linux Kernel follows upstream Multi-SoC Vendor support Optional microkernel/hypervisor L4RE/KVM Secure Firmware UEFI, ARM Platform Security Architecture, OTA Updater Secure OTA Updater Demo Containers OTA agent Container Mgmt System Apps & Development utilities Docker OStree Linux Kernel Bootloader - U-Boot / Grub 2 - UEFI

36 Zephyr microplatform - OS for microcontrollers HTTP(S) Hawkbit Demonstration Application OTA App-specific logic CoAP(S) LWM2M Demonstration Application OTA App-specific logic OSF Sample Apps Optional Middleware Thread, IoTivity, LwM2M Secure protocols MQTT, HTTP,... Secure protocols, CoAP,... TCP (TLS) UDP (DTLS) Update subsystem Zephyr Project IP: IPv4 & IPv6 6LoWPAN Connectivity Drivers (Ethernet, BLE, , WiFi, LoRa, NB-IoT, LTE-M) Kernel (RTOS, SoC and board support) Secure Bootloader / mcuboot (Image verification, Supports multiple images) MCUBoot

37 OSTree basics: sysroot Open Source Updates for IoT - ATS

Uptane. Securing Over-the-Air Updates Against Nation State Actors. Justin Cappos New York University

Uptane. Securing Over-the-Air Updates Against Nation State Actors. Justin Cappos New York University Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University What do these companies have in common? What do these companies have in common? Users attacked via software