When applying the TUF framework to vehicle software updates, we encountered an issue: once a certain number of Root keys are lost, we assume that attackers have installed malicious software and taken control of the affected vehicles. In such a scenario, to reinstall the correct software, the only option is to recall the vehicles. This cost is unacceptable for the automotive industry.
To illustrate, let's consider a singular root key for the problem description. Starting from 1.root.json:
1.root.json -> 2.root.json -> 3.root.json -> 4.root.json
Suppose at step 4, the root key is lost. A hacker uploads a malicious software package, "bad_software," and generates 4.root.json. The vehicles update to 4.root.json, downloading and installing the malicious package, "bad_software." In this situation, the only recourse to reinstall the correct software package, "good_software," is to recall the vehicles.
Even if we were to update the root key, upload the correct software package "good_software," and regenerate 4.root.json and other metadata files, the vehicles still couldn't complete the update. This is because the vehicles hold the 4.root.json signed by the hacker and won't automatically download the latest, correct 4.root.json, preventing the software package replacement. Even if we generate a new version, 5.root.json, it won't pass verification because it's not signed by the 4.root.json saved in the vehicles, rendering the software package replacement impossible. Consequently, our only recourse is to recall the vehicles and manually replace (rewrite) the software. However, for a vehicle enterprise with millions of vehicles, this cost is unacceptable.
We've come up with an efficient solution and want to know if the TUF experts would approve.
Our approach involves restarting the trust chain from 1.root.json and wiping all root metadata files on the vehicles. This way, the vehicles reconstruct a trusted chain relationship, ensuring the safe and proper installation of software.
thanks
Jianming
--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/50ba17ad-1376-48c7-9a46-70a8cff9eb19n%40googlegroups.com.