Skip to content

Commit cdabdd1

Browse files
authored
Update threat model to include rollback attack (#285)
* Update threat model to add rollback attack Signed-off-by: Pritesh Bandi <priteshbandi@gmail.com>
1 parent a3d1158 commit cdabdd1

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

Diff for: threatmodels/notation-threatmodel.md

+1
Original file line numberDiff line numberDiff line change
@@ -87,3 +87,4 @@ The certificates trusted by the verifier are stored in Notation trust store in t
8787
| Malicious signature faking to be signed by a signing authority | Tampering | Mitigated | High | Notation | Unlike notary.x509 signing scheme, trusted timestamps are not checked against RFC#3161 TSA servers for notary.x509.signingAuthority signing scheme. An attacker can use this and bypass trusted timestamp checks by crafting a signature that uses notary.x509 keys but with signingAuthority as the signing scheme. | To prevent this threat, notary.x509.signingAuthority signing scheme requires trusted roots to be present in a trust store type called signingAuthority as opposed to CA trust store type for notary.x509 signing scheme |
8888
| Inaccessible OCSP Responder | Denial of Service | Not Mitigated | High | OCSP Responder | OCSP Responder is not able to service incoming requests or perform up to spec, thus users are unable to validate certificate revocation status | It cannot be mitigated, since revocation status should be retrieved from OCSP responder, which requires network access. Notation verification should fail if revocation check is configured as `enforced` and OCSP responder is inaccessible. Users can configure trust policy to log or skip revocation check if OCSP responder is not reliable. |
8989
| Compromised Notation dependencies | Tampering | Mitigated | High | Notation | The dependencies that built into Notation binary was compromised, this may lead to arbitrary code being executed | Notation keeps dependencies up-to-date and adds new dependency after careful consideration and only if it's absolutely required. Always use static build instead of dynamic linking |
90+
| Rollback Attack | Tampering | Mitigated | High | Notation | Attacker can exploit a compromised repository to return outdated vulnerable artifacts | Signer can employ short signature expiration periods (and periodically re-sign artifacts) or revoke outdated vulnerable artifacts |

0 commit comments

Comments
 (0)