![Page 1: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/1.jpg)
UptaneSecuring Over-the-Air Updates Against Nation State Actors
Justin CapposNew York University
![Page 2: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/2.jpg)
What do these companies have in common?
![Page 3: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/3.jpg)
What do these companies have in common?
Users attacked via software updater!
![Page 4: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/4.jpg)
Software repository compromise impact
• SourceForge mirror distributed malware.• Attackers impersonate Microsoft
Windows Update to spread Flame malware.
• Attacks on software updaters have massive impact• E.g. South Korea faced 765 million dollars in
damages.• NotPetya spread via software updates!
![Page 5: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/5.jpg)
The modern automobileExhaust
Engine Control Unit
TCU
Transmission
Brake LineABS
Airbag Control Unit
Body ControllerLocks/Lights/Etc
Radio
Telematics _
Internet/PSTN
HVAC
Keyless Entry
Anti-Theft
5
![Page 6: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/6.jpg)
◼ Researchers have made some scary attacks against vehicles
▪ remotely controlling a car's brakes and steering while it's driving
▪ spontaneously applying the parking brake at speed
▪ turning off the transmission
▪ locking driver in the car
Cars are multi-ton, fast-moving weapons
People will die
Cars Are Dangerous
![Page 7: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/7.jpg)
Updates Are Inevitable
◼ Millions of lines of code means bugs◼ Regulations change -> firmware must change◼ Maps change◼ Add new features◼ Close security holes◼ Cars move across borders…
![Page 8: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/8.jpg)
Updates Must Be Practical
◼ Updating software/firmware has often meant recalls.
◼ Recalls are extremely expensive
▪ GM spent $4.1 billion on recalls in 2014
▪ GM's net income for 2014 was < $4 billion
▪ People do not like recalls.
◼ Updates must be over the air.
![Page 9: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/9.jpg)
◼ Update -> Control
Updates Are Dangerous
![Page 10: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/10.jpg)
◼ Nation-state actors pull off complex attacks
▪ Must not have a single point of failure
Secure Updates
![Page 11: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/11.jpg)
What to do?
Must update to fix security issues
Insecure update mechanism is a new security problem
“...No one Can Hack My Mind”: Comparing Expert and Non-Expert Security PracticesIon, et al. SOUPS 2015
![Page 12: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/12.jpg)
What are some of the attacks?
Attacks
![Page 13: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/13.jpg)
Arbitrary software attackRepository
Is there an update?
Here is an update...
ECU-1 v.10 ECU-1
v.12
13
ECU-1 v.Evil
![Page 14: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/14.jpg)
Freeze attack
Is there an update?
Same old, same old!
ECU-1v10 ECU-1
v12
Repository
14
ECU-1v10
![Page 15: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/15.jpg)
Rollback attack
Is there an update?
Here is an update
ECU-1v10
ECU-1v1
ECU-1v12
Repository
15
![Page 16: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/16.jpg)
Slow retrieval attack
Is there an update?
Y … e … a … h … …
ECU-1v10 ECU-1
v12
Repository
16
![Page 17: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/17.jpg)
Mix and Match attacks
Is there an update?
Here is an update
ECU-1v10
ECU-2v10
Bundle-2
ECU-1v12
ECU-2v12
Repository
17
ECU-2v12
ECU-1v11
![Page 18: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/18.jpg)
Partial Bundle attack
Is there an update?
Here is an update
ECU-1v10
ECU-2v10
Bundle-2
ECU-1v12
ECU-2v12
Repository
18
ECU-2v12
ECU-1v12
No, ty
![Page 19: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/19.jpg)
Partial Freeze attack
Is there an update?
Here is an update
ECU-1v10
ECU-2v10
Bundle-2
ECU-1v12
ECU-2v12
Repository
19
ECU-2v12
ECU-1v12
![Page 20: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/20.jpg)
So how do people try to prevent these attacks?
![Page 21: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/21.jpg)
Update Basics
Repository
Clientxyz.tgz, pls
xyz.tgz
![Page 22: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/22.jpg)
Inadequate Update Security 1: TLS/SSL
Repository
Clientxyz.tgz, pls
xyz.tgz
Traditional solution 1:
Authenticate the repository (TLS, SSL, etc)
Certificate Authority
Key XYZ speaks for domain repo.net
XYZ
![Page 23: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/23.jpg)
Inadequate Update Security 2: TLS/SSL
Repository
Clientxyz.tgz, pls
xyz.tgz
Transport Layer Security: Problem 1
Certificate Authority
Key XYZ speaks for domain repo.net
XYZClient has to trust all of these Certificate Authorities
![Page 24: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/24.jpg)
Inadequate Update Security 3: TLS/SSL
Repository
Clientxyz.tgz, pls
xyz.tgz
Transport Layer Security: Problem 2
Certificate Authority
Key XYZ speaks for domain repo.net
XYZClient has to trust this key.
… which HAS to exist ON the repository, to sign communications continuously.
![Page 25: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/25.jpg)
Client has to trust this key
Inadequate Update Security 4: Just Sign!
Repository
Clientxyz.tgz, pls
xyz.tgz
Traditional Solution 2:Sign your update package with a specific key.Updater ships with corresponding public key.
XYZ
… used for every update to the repository.
… key ends up on repo or build farm.
If an attacker gains the use of this key, they can install arbitrary code on any client.
![Page 26: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/26.jpg)
Update Security
Repository
Clientxyz.tgz, pls
xyz.tgz
We need:● To survive server compromise with the
minimum possible damage.○ Avoid arbitrary package attacks
● Minimize damage of a single key being exposed
● Be able to revoke keys, maintaining trust● Guarantee freshness to avoid freeze attacks● Prevent mix and match attacks● Prevent rollback attacks● Prevent slow retrieval attacks● ...
Must not have single point of failure!
![Page 27: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/27.jpg)
TUF goal “Compromise Resilience”
● TUF secures software update files● TUF emerges from a serious threat model:
○ We do NOT assume that your servers are perfectly secure○ Servers will be compromised○ Keys will be stolen or used by attackers○ TUF tries to minimize the impact of every compromise
The Update Framework (TUF)
Linux Foundation CNCF project
CII Best Practices Silver Badge
![Page 28: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/28.jpg)
Responsibility Separation
timeliness
Root of trust
content consistency
28
The Update Framework (TUF)
![Page 29: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/29.jpg)
TUF Roles Overview
Timestamps
(timeliness)
Root
(root of trust)
Snapshot
(consistency)
Targets
(integrity)29
The Update Framework (TUF)
![Page 30: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/30.jpg)
Repository
Clientxyz.tgz, pls
xyz.tgz
The Update Framework (TUF)
Role metadata (root, targets, timestamp, snapshot)
![Page 31: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/31.jpg)
The modern automobileExhaust
Engine Control Unit
TCU
Transmission
Brake LineABS
Airbag Control Unit
Body ControllerLocks/Lights/Etc
Radio
Telematics _
Internet/PSTN
HVAC
Keyless Entry
Anti-Theft
31
Automobiles present particular difficulties.
![Page 32: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/32.jpg)
● Timeserver
● Multiple Repositories: Director and Image Repository
● Manifests
● Primary and Secondary clients
● Full and Partial verification
Uptane builds on The Update Framework (TUF)
![Page 33: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/33.jpg)
Uptane: Client-side Basics
Primary Client
SecondarySecondary
SecondarySecondary
SecondarySecondary
SecondarySecondary
SecondarySecondary
Secondary
Secondary
Cell Network
![Page 34: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/34.jpg)
Uptane: High level view
Image Repository(Section 5)
Director Repository(Section 6)
Director
Full Verification (FV) Secondary
Partial Verification
(PV) Secondary
Primary ECU
Time Server(Section 7)
InventoryDatabase
Vehicle(Section 8)
FV Secondary
PV Secondary
signed tokens& time
metadata& images
…vehicle
manifests
…
![Page 35: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/35.jpg)
Time server
35
![Page 36: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/36.jpg)
Time server
● A primary sends a list of tokens, one for each ECU, to the time server.
● An automated process on the time server returns a signed message containing: (1) the list of tokens, and (2) the current time.
Automatedprocess
timeserver
vehicle
Primary
(1)sendslist of
tokens
(2)receivessigned current time& list of tokens
36
![Page 37: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/37.jpg)
Image repository
37
![Page 38: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/38.jpg)
The image repository
targets
A
snapshottimestamp
A*.im
g
root
OEM-managed supplier-managed
Metadata
B
CD
E
B*.img
C*.img
CA*.img
CB*.img
signs metadata for
signs root keys for
delegates images tosigns for images
● When possible, OEM delegates updates for ECUs to suppliers.
● Delegations are flexible, and accommodate a variety of arrangements.
A1.img
B3.img
CA5.img
CB2.img
38
![Page 39: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/39.jpg)
Director repository
39
![Page 40: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/40.jpg)
Director repository
● Records vehicle version manifests.
● Determines which ECUs install which images.
● Produces different metadata for different vehicles.
● May encrypt images per ECU.
● Has access to an inventory database.
Automatedprocess
Inventorydatabase
timestampmetadata(3)
writes(2) reads & writes
encryptedimage
snapshotmetadata
targetsmetadata
repository
vehicle
Primary
(1)sends
vehicleversion
manifest
(4)receiveslink totimestampmetadata
(5) downloads
40
![Page 41: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/41.jpg)
Big picture
41
Image Repository(Section 5)
Director Repository(Section 6)
Director
Full Verification (FV) Secondary
Partial Verification
(PV) Secondary
Primary ECU
Time Server(Section 7)
InventoryDatabase
Vehicle(Section 8)
FV Secondary
PV Secondary
signed tokens& time
metadata& images
…vehicle
manifests
…
![Page 42: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/42.jpg)
Uptane workflowon vehicle
42
![Page 43: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/43.jpg)
Downloading updates (1)
● Primary receives an ECU Version Manifest and a nonce from each Secondary.
● Primary produces Vehicle Version Manifest, a signed record of what is installed on Secondaries
● Primary sends VVM to Director● Primary sends nonces to Timeserver
43
![Page 44: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/44.jpg)
Downloading updates (2)
● Timeserver returns the signed [time and nonces] to the Primary.
44
![Page 45: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/45.jpg)
Downloading updates (3)
● The primary downloads metadata from both the Director and Image repositories on behalf of all ECUs
● The primary performs full verification of metadata on behalf of all secondaries.
45
![Page 46: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/46.jpg)
Full verification
1. Load the latest downloaded time from the time server.2. Verify metadata from the director repository.
a. Check the root metadata file.b. Check the timestamp metadata file.c. Check the snapshot metadata file.d. Check the targets metadata file.
3. Download and verify metadata from the image repository.a. Check the root metadata file.b. Check the timestamp metadata file.c. Check the snapshot metadata file, especially for rollback attacks.d. Check the targets metadata file.e. For every image A in the director targets metadata file, perform a preorder depth-first search for the
same image B in the targets metadata from the image repository, and check that A = B.
4. Return an error code indicating a security attack, if any. 46
![Page 47: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/47.jpg)
Partial verification
1. Load the latest downloaded time from the time server.2. Load the latest top-level targets metadata file from the director repository.
a. Check for an arbitrary software attack. This metadata file must have been signed by a threshold of keys specified in the previous root metadata file.
b. Check for a rollback attack.c. Check for a freeze attack. The latest downloaded time should be < the expiration timestamp in this
metadata file.d. Check that there are no delegations.e. Check that every ECU identifier has been represented at most once.
3. Return an error code indicating a security attack, if any.
47
![Page 48: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/48.jpg)
Uptane status / wrap up
48
![Page 49: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/49.jpg)
Uptane “Reference” Implementation
● Goal: Assist other implementers○ Code readability is a primary goal
● Not the most popular implementation in practice (by design)○ Readability > performance / implementation size
■ Most TUF deployments do not use the reference implementation○ Useful as a reference, conformance testing, etc.
● Open source, free to use (MIT License)○ Other groups are free to contribute!
49
![Page 50: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/50.jpg)
Security Reviews
Reviews of implementations and design:
○ Cure53 audited ATS's Uptane implementation○ NCC Group audited Uptane's reference implementation
(pre-TUF fork)○ SWRI finalizing Uptane reference implementation /
specification audit○ ...
50
![Page 51: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/51.jpg)
Work closely with vendors, OEMs, etc.● Security reps from 78% of cars● Many top suppliers / vendors
○ ~12-35% of cars on US roads● Automotive Grade Linux● OEM integrations
○ Easy to integrate!
Uptane Integration
![Page 52: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/52.jpg)
Press
○ Dozens of articles○ TV / Radio / Newspapers / Magazines
52
![Page 53: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/53.jpg)
Get Involved With Uptane!
● Workshops● Technology demonstration● Compliance tests● Standardization ( IEEE / ISTO )● Join our community! (email: [email protected] or go to the Uptane forum)
https://uptane.github.io/
53
![Page 54: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/54.jpg)
54
For more details, please see theImplementation Specification and other
documentation at uptane.github.io
![Page 55: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/55.jpg)
Cars are heavily computerized
◼ Today’s car is a big distributed system▪ Complex computerized control
▪ Millions of lines of code▪ ~100 distinct computers (ECUs: Electrical Control Units)▪ Average car last year had about 80▪ Some luxury or hybrid cars last year had around 150
▪ Shared internal networks (CAN, FlexRay, Ethernet, …)
▪ Increasing external comm. features▪ Telematics, Bluetooth, TPMS, RDS, XM radio, GPS, keyless start/entry, USB ports, WiFi, etc
◼ Tomorrow’s car -> much more of everything▪ traffic control, autonomous driving, … jetpacks?
In summary, cars are quickly becoming networks of embedded systems with multiple tons of attached mechanical parts that move around a bunch. I'm not a car person, so from my perspective, that is what a car is: four wheels and a whole lot of cheap computers with closed-source firmware, networked in a way that would make you cry.
![Page 56: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/56.jpg)
Software updates
Uptane: Software Update Security for Cars
Inevitable
Dangerous
I hope you'll forgive me for having several slides to make what will in retrospect probably four very obvious points. But here we go.
((CLICK)) Software updates are necessary.
((CLICK)) Software updates are dangerous.
![Page 57: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/57.jpg)
Cars Are Dangerous
◼ Cars are also multi-ton fast-moving weapons.
◼ Attacks by a nation-state actor could wreak havoc
![Page 58: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/58.jpg)
Downloading updates (4)
● Encrypted images, if any, are downloaded from the director repository.
● Unencrypted images are downloaded from the image repository.
58
![Page 59: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/59.jpg)
Downloading updates (5-7)
Primary distributes to Secondaries:
● Timeserver's time attestations● Director and Image Repo metadata● Update data for each Secondary
59
![Page 60: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/60.jpg)
Downloading updates (5)
● The primary sends the timeserver's signed time to all of its secondaries.
60
![Page 61: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/61.jpg)
Downloading updates (6)
● The primary sends the latest downloaded metadata to all of its secondaries.
61
![Page 62: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/62.jpg)
Downloading updates (7)
● Additional Storage (A/B firmware Storage)
62
![Page 63: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/63.jpg)
Before Secondary installs an update (1)
1. Verify the latest downloaded time.a. Timeserver signature must be valid.b. List of nonces must include the nonce this Secondary sent in the last version report.c. The current time must be greater than the previous downloaded time.d. If all checks pass, then save the new time and generate a new token.e. Otherwise, reuse previous token.
2. Verify metadata using full / partial verification.a. (Discussed in more detail later.)b. Result is a trustworthy hash and file length for the image. That allows us to validate the image.
3. If a secondary does not have additional storage, download image from primary.
a. May use primary to backup previous working image, so it can restore in case this update fails.
63
![Page 64: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/64.jpg)
Before Secondary installs an update (2)
4. Verify that the latest image matches the latest metadata.a. Check that the image matches the hash and length for it, obtained from the validated metadata.b. If all checks pass, overwrite the previous with the latest metadata. If there is additional storage,
overwrite the previous with the latest image.c. Otherwise, if some check failed, and there is no additional storage, then restore the previous image
from the backup on the primary.
5. Send the next version report to the primary.a. Include the next token for the time server.b. Include the ECU version manifest, which contains: (1) the ECU identifier, (2) the previous and current
times, (3) any security attack detected during an update, and (4) metadata about what is currently installed.
64
![Page 65: Against Nation State Actors Securing Over-the-Air Updates · Uptane Securing Over-the-Air Updates Against Nation State Actors Justin Cappos New York University](https://reader030.vdocuments.mx/reader030/viewer/2022041214/5e03377cd9e2ea2f20424d7c/html5/thumbnails/65.jpg)
Demo!
youtube.com/watch?v=Iz1l7IK_y2c
(or google Uptane Demonstration youtube)