Internet Engineering Task Force (IETF)              Phillip Hallam-Baker
Internet-Draft                                         Comodo Group Inc.
Intended Status: Standards Track                        October 16, 2014
Expires: April 19, 2015


                 Software and Configuration Management
                    draft-hallambaker-securecode-00

Abstract

   Use cases and requirements for secure distribution and management of
   code are considered. In particular constraints imposed by embedded
   devices that do not provide affordances for user interaction are
   considered.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.











Hallam-Baker                 April 19, 2015                     [Page 1]

Internet-Draft  SXS Confirmation Protocol (SXS-Confirm)     October 2014

Table of Contents

   1.  Motivation . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  4
      2.1.  Software  . . . . . . . . . . . . . . . . . . . . . . . .  4
      2.2.  Configuration . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Principles . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . .  5
      4.1.  Device Requirements . . . . . . . . . . . . . . . . . . .  5
      4.2.  Administration Requirements . . . . . . . . . . . . . . .  5
      4.3.  Interface Requirements  . . . . . . . . . . . . . . . . .  5
   5.  Technical Requirements . . . . . . . . . . . . . . . . . . . .  5
   6.  Acnowledgementsts  . . . . . . . . . . . . . . . . . . . . . .  5
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . .  6








































Hallam-Baker                 April 19, 2015                     [Page 2]

Internet-Draft  SXS Confirmation Protocol (SXS-Confirm)     October 2014

1. Motivation

   All computing devices operate under control of software. As the
   applications of computing systems diversify, the management of the
   software code determining their function becomes an increasingly
   difficult challenge.

   The recognition of this problem in the dektop computing environment
   and the introduction of automatic update mechanisms has played a
   major role in reducing vulnerabilities on these platforms. But no
   similar platforms have emerged to support the proliferation of
   embedded devices currently occuring.

   While there is a clear need for a software management infrastructure
   that meets these emerging needs, it is essential that any new
   security infrastructure meet all the security risks of users and
   device owners, including the very real possibility that the device
   vendors themselves might pose the threat. The only difference between
   a voice activated, network conected toaster oven and a covert
   surveillance device (aka bug) is the software it runs.

   The possibility that a device might change its function through an
   unsolicited software is just as important a security concern as the
   possibility that code might contain zero day vulnerabilities.

   Existing systems, including those deployed to update open source
   platforms have been developed to serve the proprietary interest of
   the software provider to update their code. The disregard for the
   concerns of the user/owner is made clear by a user interaction where
   the only choice is to update now or to be reminded in an hour's time.

   Rather unusually, devices sold to the consumer market tend to be
   considerably worse than those sold to enterprises. Enterprises
   understand that automatic software updates present security risks as
   well as benefits. A software update mechanism that is outside their
   direct control may invalidate previous Quality Assurance processes
   causing a system to fail.

   Since automatic update mechanisms rarely receive attention in product
   reviews, the needs of consumers have been treated with conspicuous
   contempt. In the majority of cases, no attempt is made to minimize
   the inconvenience to the user. The device determines that an update
   is required and refuses to perform its intended function until the
   user approves installation of the update, the update is downloaded
   and installed.

   Approaches such as this are at best discourteous but can pose a
   serious safety risk if they interfere with the functioning of
   critical systems. While the manufacturer of a defibrilating device is
   likely to understand that it must work immediately every time it is
   used, most systems become critical because people rely on them to



Hallam-Baker                 April 19, 2015                     [Page 3]

Internet-Draft  SXS Confirmation Protocol (SXS-Confirm)     October 2014

   function rather than this being an intrinsic aspect of their purpose.

2. Definitions

2.1. Software

   The term 'software' is used to describe any content that might affect
   the operation of a device that is not provided by its administrator
   and/or user(s).

   Rationale: What is important from the security point of view is that
   the content might affect the operation of the machine rather than the
   classification of the content as 'code' or 'data'. A data driven code
   system need not be Turing complete for it present a user-access or
   root-access level vulnerability.

   Note that for the purposes of software management, there is no useful
   distinction between 'software' and 'firmware'. Either may affect the
   operation of the machine.

2.2. Configuration

   The term 'configuration' is used to describe any content that might
   affect the operation of a device that is provided by its
   administrator and/or user(s).

   Rationale: Anything that is not software that might affect the
   operation of the device is a security concern and thus should be
   considered in the device management infrastructure.

3. Principles

      *  The integrity of the system software and configuration should
         always be assured.

      *  The operation of a system should be controlled by the owner. No
         modifications should be made to the operation of a device
         without express permission from the owner or their delegate.

      *  If the owner's ability to modify either software or
         configuration is limited in any fashion, these constrains
         should be clearly declared.

      *  The software and configuration of a system should always be
         known with certainty.

      *  Changes to software and/or configuration should be auditable
         and reversible.






Hallam-Baker                 April 19, 2015                     [Page 4]

Internet-Draft  SXS Confirmation Protocol (SXS-Confirm)     October 2014

   Note that the requirement for express permission does not entail
   specific user interaction on the part of the owner. Since most owners
   have neither the means nor the inclination to decide whether an
   update should be performed, the ability to delegate decision making
   powers to the software provider or a third party is highly desirable
   provided that such delegation is revokable and the exercise of the
   delegated powers can be audited.

4. Requirements

   Consumer software update systems are generally implemented as a
   feature of the system under management while enterprise software
   management systems typically observe a separation between the
   administration system and the systems under management.

4.1. Device Requirements

      *  Report the software packages installed on a system.

      *  Transfer a software package to a system.

      *  Install a software package on a system.

      *  Delete a software package from a system.

      *  Change the software package version to be executed on a system
         at next restart.

      *  Change the software package version to be executed now.

      *  Schedule a restart.

4.2. Administration Requirements

      *  Determine what vulnerabilities have been reported for a
         software package.

      *  Verify the provenance of a software package.

4.3. Interface Requirements

      *  Bind a device to an administration source.

5. Technical Requirements

6. Acnowledgementsts

   This document was written in response to discussion on the IETF list
   begun by Jim Gettys.





Hallam-Baker                 April 19, 2015                     [Page 5]

Internet-Draft  SXS Confirmation Protocol (SXS-Confirm)     October 2014

Author's Address

   Phillip Hallam-Baker
   Comodo Group Inc.

   philliph@comodo.com
















































Hallam-Baker                 April 19, 2015                     [Page 6]