Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Code Signing - downgrade prevention #118

Open
aiwaniuk opened this issue Aug 4, 2022 · 0 comments
Open

Security: Code Signing - downgrade prevention #118

aiwaniuk opened this issue Aug 4, 2022 · 0 comments

Comments

@aiwaniuk
Copy link

aiwaniuk commented Aug 4, 2022

I think it may be worth to extend Code Signing section (https://github.com/open-telemetry/opamp-spec/blob/main/specification.md#code-signing) and add downgrade protection recommendation.

Let's consider following scenario:

  1. Agent is running with version X of package A
  2. Vulnerability is found in package A (that for example allows code execution or bypass signature verification)
  3. Fix is released to package A in version X+1
  4. Agents are upgraded to use version X+1 in package A
  5. One year latter Server is compromised
  6. Attacker have old files version X of package A with signature and use this data to downgrade agents to vulnerable version
  7. Attacker have code execution on Agents

It will be nice to prevent from such scenario.

Possible solution:

  1. Signature should be generated for pair (SIGNATURE_COUNTER, downloadable executable)
  2. Agent should only accept downloadable executable with SIGNATURE_COUNTER >= CURRENT_SIGNATURE_COUNTER
  3. Agent after accepting downloadable executable sets CURRENT_SIGNATURE_COUNTER=SIGNATURE_COUNTER

Now such scenario is not possible, since attacker is not able to downgrade agents to version X

Server operator after any change (or security patches) to packages sets SIGNATURE_COUNTER=SIGNATURE_COUNTER+1 and recalculates signature for all packages.
Legitimate downgrades (with access to Certificate Authority private key) are still possible - just sign the old binary with new version.

I know that the actual code-signing and verification mechanism is Agent specific and this could be possibly implemented as part of it, but I think it may be worth to add this here since this problem scenario is rather related to problem of code signing for downloadable executables than generic code signing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant