def test_slow_retrieval_attack(using_tuf=False, mode=None): WAIT_TIME = 60 # Number of seconds to wait until download completes. ERROR_MSG = 'Slow retrieval attack succeeded (using_tuf: '+str(using_tuf)+', mode: '+\ str(mode)+').' # Launch the server. port = random.randint(30000, 45000) command = ['python', 'slow_retrieval_server.py', str(port), mode] server_process = subprocess.Popen(command, stderr=subprocess.PIPE) time.sleep(1) try: # Setup. root_repo, url, server_proc, keyids = \ util_test_tools.init_repo(using_tuf, port=port) reg_repo = os.path.join(root_repo, 'reg_repo') downloads = os.path.join(root_repo, 'downloads') # Add file to 'repo' directory: {root_repo} filepath = util_test_tools.add_file_to_repository(reg_repo, 'A'*30) file_basename = os.path.basename(filepath) url_to_file = url+'reg_repo/'+file_basename downloaded_file = os.path.join(downloads, file_basename) if using_tuf: tuf_repo = os.path.join(root_repo, 'tuf_repo') # Update TUF metadata before attacker modifies anything. util_test_tools.tuf_refresh_repo(root_repo, keyids) # Modify the url. Remember that the interposition will intercept # urls that have 'localhost:9999' hostname, which was specified in # the json interposition configuration file. Look for 'hostname' # in 'util_test_tools.py'. Further, the 'file_basename' is the target # path relative to 'targets_dir'. url_to_file = 'http://localhost:9999/'+file_basename # Client tries to download. # NOTE: if TUF is enabled the metadata files will be downloaded first. proc = Process(target=_download, args=(url_to_file, downloaded_file, using_tuf)) proc.start() proc.join(WAIT_TIME) # In case the process did not exit or successfully exited, we failed. if not proc.exitcode: proc.terminate() raise SlowRetrievalAttackAlert(ERROR_MSG) finally: server_process.kill() util_test_tools.cleanup(root_repo, server_proc)
def test_methods(self): """ Making sure following methods work as intended: - add_file_to_repository(data) - modify_file_at_repository(filepath, data) - delete_file_at_repository(filepath) - read_file_content(filepath) - tuf_refresh_repo() - tuf_refresh_and_download() Note: here file at the 'filepath' and the 'target' file at tuf-targets directory are identical files. Ex: filepath = '{root_repo}/reg_repo/file.txt' target = '{root_repo}/tuf_repo/targets/file.txt' """ reg_repo = os.path.join(self.root_repo, 'reg_repo') tuf_repo = os.path.join(self.root_repo, 'tuf_repo') downloads = os.path.join(self.root_repo, 'downloads') # Test 'add_file_to_repository(directory, data)' and # read_file_content(filepath) methods. filepath = util_test_tools.add_file_to_repository(reg_repo, 'Test') self.assertTrue(os.path.isfile(filepath)) self.assertEquals(os.path.dirname(filepath), reg_repo) filepath_content = util_test_tools.read_file_content(filepath) self.assertEquals('Test', filepath_content) # Test 'modify_file_at_repository(filepath, data)' method. filepath = util_test_tools.modify_file_at_repository( filepath, 'Modify') self.assertTrue(os.path.exists(filepath)) filepath_content = util_test_tools.read_file_content(filepath) self.assertEquals('Modify', filepath_content) # Test 'tuf_refresh_repo' method. util_test_tools.tuf_refresh_repo(self.root_repo, self.keyids) file_basename = os.path.basename(filepath) target = os.path.join(tuf_repo, 'targets', file_basename) self.assertTrue(os.path.isfile(target)) # Test 'delete_file_at_repository(filepath)' method. util_test_tools.delete_file_at_repository(filepath) self.assertFalse(os.path.exists(filepath)) # Test 'tuf_refresh_repo' method once more. util_test_tools.tuf_refresh_repo(self.root_repo, self.keyids) file_basename = os.path.basename(filepath) target = os.path.join(tuf_repo, 'targets', file_basename) self.assertFalse(os.path.isfile(target))
def test_endless_data_attack(using_tuf=False, TIMESTAMP=False): """ <Purpose> Illustrate endless data attack vulnerability. <Arguments> using_tuf: If set to 'False' all directories that start with 'tuf_' are ignored, indicating that tuf is not implemented. """ ERROR_MSG = 'Endless Data Attack was Successful!\n' try: # Setup. root_repo, url, server_proc, keyids = util_test_tools.init_repo( using_tuf) reg_repo = os.path.join(root_repo, 'reg_repo') tuf_repo = os.path.join(root_repo, 'tuf_repo') downloads = os.path.join(root_repo, 'downloads') tuf_targets = os.path.join(tuf_repo, 'targets') # Original data. INTENDED_DATA = 'Test A' # Add a file to 'repo' directory: {root_repo} filepath = util_test_tools.add_file_to_repository( reg_repo, INTENDED_DATA) file_basename = os.path.basename(filepath) url_to_repo = url + 'reg_repo/' + file_basename downloaded_file = os.path.join(downloads, file_basename) # We do not deliver truly endless data, but we will extend the original # file by many bytes. noisy_data = 'X' * 100000 if using_tuf: # Update TUF metadata before attacker modifies anything. util_test_tools.tuf_refresh_repo(root_repo, keyids) # Modify the url. Remember that the interposition will intercept # urls that have 'localhost:9999' hostname, which was specified in # the json interposition configuration file. Look for 'hostname' # in 'util_test_tools.py'. Further, the 'file_basename' is the target # path relative to 'targets_dir'. url_to_repo = 'http://localhost:9999/' + file_basename # Attacker modifies the file at the targets repository. target = os.path.join(tuf_targets, file_basename) original_data = util_test_tools.read_file_content(target) larger_original_data = original_data + noisy_data util_test_tools.modify_file_at_repository(target, larger_original_data) # Attacker modifies the timestamp.txt metadata. if TIMESTAMP: metadata = os.path.join(tuf_repo, 'metadata') timestamp = os.path.join(metadata, 'timestamp.txt') original_data = util_test_tools.read_file_content(timestamp) larger_original_data = original_data + noisy_data util_test_tools.modify_file_at_repository( timestamp, larger_original_data) # Attacker modifies the file at the regular repository. original_data = util_test_tools.read_file_content(filepath) larger_original_data = original_data + noisy_data util_test_tools.modify_file_at_repository(filepath, larger_original_data) # End Setup. # Client downloads (tries to download) the file. try: _download(url_to_repo, downloaded_file, using_tuf) except Exception, exception: # Because we are extending the true timestamp TUF metadata with invalid # JSON, we except to catch an error about invalid metadata JSON. if using_tuf and TIMESTAMP: endless_data_attack = False for mirror_url, mirror_error in exception.mirror_errors.iteritems( ): if isinstance(mirror_error, tuf.InvalidMetadataJSONError): endless_data_attack = True break # In case we did not detect what was likely an endless data attack, we # reraise the exception to indicate that endless data attack detection # failed. if not endless_data_attack: raise else: raise # When we test downloading "endless" timestamp with TUF, we want to skip # the following test because downloading the timestamp should have failed. if not (using_tuf and TIMESTAMP): # Check whether the attack succeeded by inspecting the content of the # update. The update should contain 'Test A'. Technically it suffices # to check whether the file was downloaded or not. downloaded_content = util_test_tools.read_file_content( downloaded_file) if downloaded_content != INTENDED_DATA: raise EndlessDataAttack(ERROR_MSG)
def test_arbitrary_package_attack(using_tuf=False): """ <Purpose> Illustrate arbitrary package attack vulnerability. <Arguments> using_tuf: If set to 'False' all directories that start with 'tuf_' are ignored, indicating that tuf is not implemented. """ ERROR_MSG = 'Arbitrary Package Attack was Successful!' try: # Setup. root_repo, url, server_proc, keyids = util_test_tools.init_repo(using_tuf) reg_repo = os.path.join(root_repo, 'reg_repo') tuf_repo = os.path.join(root_repo, 'tuf_repo') downloads = os.path.join(root_repo, 'downloads') targets_dir = os.path.join(tuf_repo, 'targets') # Add a file to 'repo' directory: {root_repo} filepath = util_test_tools.add_file_to_repository(reg_repo, 'Test A') file_basename = os.path.basename(filepath) url_to_repo = url+'reg_repo/'+file_basename downloaded_file = os.path.join(downloads, file_basename) if using_tuf: # Update TUF metadata before attacker modifies anything. util_test_tools.tuf_refresh_repo(root_repo, keyids) # Modify the url. Remember that the interposition will intercept # urls that have 'localhost:9999' hostname, which was specified in # the json interposition configuration file. Look for 'hostname' # in 'util_test_tools.py'. Further, the 'file_basename' is the target # path relative to 'targets_dir'. url_to_repo = 'http://localhost:9999/'+file_basename # Attacker modifies the file at the targets repository. target = os.path.join(targets_dir, file_basename) util_test_tools.modify_file_at_repository(target, 'Evil A') # Attacker modifies the file at the regular repository. util_test_tools.modify_file_at_repository(filepath, 'Evil A') # End of Setup. try: # Client downloads (tries to download) the file. _download(url_to_repo, downloaded_file, using_tuf) except tuf.NoWorkingMirrorError, error: # We only set up one mirror, so if it fails, we expect a # NoWorkingMirrorError. If TUF has worked as intended, the mirror error # contained within should be a BadHashError. mirror_error = error.mirror_errors[url+'tuf_repo/targets/'+file_basename] assert isinstance(mirror_error, tuf.BadHashError) else:
def test_indefinite_freeze_attack(using_tuf=False): """ <Arguments> using_tuf: If set to 'False' all directories that start with 'tuf_' are ignored, indicating that tuf is not implemented. The idea here is to expire timestamp metadata so that the attacker """ ERROR_MSG = '\tIndefinite Freeze Attack was Successful!\n\n' try: # Setup. root_repo, url, server_proc, keyids = util_test_tools.init_repo( using_tuf) reg_repo = os.path.join(root_repo, 'reg_repo') tuf_repo = os.path.join(root_repo, 'tuf_repo') metadata_dir = os.path.join(tuf_repo, 'metadata') downloads = os.path.join(root_repo, 'downloads') # Add file to 'repo' directory: {root_repo} filepath = util_test_tools.add_file_to_repository(reg_repo, 'Test A') file_basename = os.path.basename(filepath) url_to_repo = url + 'reg_repo/' + file_basename downloaded_file = os.path.join(downloads, file_basename) if using_tuf: print('TUF ...') # Update TUF metadata before attacker modifies anything. util_test_tools.tuf_refresh_repo(root_repo, keyids) # Modify the url. Remember that the interposition will intercept # urls that have 'localhost:9999' hostname, which was specified in # the json interposition configuration file. Look for 'hostname' # in 'util_test_tools.py'. Further, the 'file_basename' is the target # path relative to 'targets_dir'. url_to_repo = 'http://localhost:9999/' + file_basename # Make timestamp metadata with close expiration date (2s). _remake_timestamp(metadata_dir, keyids) # Client performs initial download. If the computer is slow, it may # take longer time than expiration time. In this case you will see # an ExpiredMetadataError. try: _download(url_to_repo, downloaded_file, using_tuf) except: print('Initial download failed! It may be because your machine is '+ \ 'busy. Try again later.') else: # Expire timestamp. time.sleep(EXPIRATION) # Try downloading again, this should raise an error. try: _download(url_to_repo, downloaded_file, using_tuf) except tuf.ExpiredMetadataError, error: print('Caught an expiration error!') else:
def test_replay_attack(using_tuf=False): """ <Arguments> using_tuf: If set to 'False' all directories that start with 'tuf_' are ignored, indicating that tuf is not implemented. <Purpose> Illustrate replay attack vulnerability. """ ERROR_MSG = '\tReplay Attack was Successful!\n\n' FIRST_CONTENT = 'Test A' SECOND_CONTENT = 'Test B' try: # Setup. root_repo, url, server_proc, keyids = \ util_test_tools.init_repo(using_tuf=using_tuf) reg_repo = os.path.join(root_repo, 'reg_repo') tuf_repo = os.path.join(root_repo, 'tuf_repo') tuf_repo_copy = os.path.join(root_repo, 'tuf_repo_copy') downloads = os.path.join(root_repo, 'downloads') tuf_targets = os.path.join(tuf_repo, 'targets') # Add file to 'repo' directory: {root_repo} filepath = util_test_tools.add_file_to_repository( reg_repo, FIRST_CONTENT) file_basename = os.path.basename(filepath) url_to_repo = url + 'reg_repo/' + file_basename downloaded_file = os.path.join(downloads, file_basename) # Attacker saves the original file into 'evil_dir'. evil_dir = tempfile.mkdtemp(dir=root_repo) original_file = os.path.join(evil_dir, file_basename) shutil.copy(filepath, evil_dir) if using_tuf: # Update TUF metadata before attacker modifies anything. util_test_tools.tuf_refresh_repo(root_repo, keyids) # Copy the first version of the repository for replay later. shutil.copytree(tuf_repo, tuf_repo_copy) # Modify the url. Remember that the interposition will intercept # urls that have 'localhost:9999' hostname, which was specified in # the json interposition configuration file. Look for 'hostname' # in 'util_test_tools.py'. Further, the 'file_basename' is the target # path relative to 'targets_dir'. url_to_repo = 'http://localhost:9999/' + file_basename # End of Setup. # Client performs initial update. _download(url=url_to_repo, filename=downloaded_file, using_tuf=using_tuf) # Downloads are stored in the same directory '{root_repo}/downloads/' # for regular and tuf clients. downloaded_content = util_test_tools.read_file_content(downloaded_file) if FIRST_CONTENT != downloaded_content: raise TestSetupError( '[Initial Update] Failed to download the file.') # Developer patches the file and updates the repository. util_test_tools.modify_file_at_repository(filepath, SECOND_CONTENT) # Updating tuf repository. This will copy files from regular repository # into tuf repository and refresh the metadata if using_tuf: util_test_tools.tuf_refresh_repo(root_repo, keyids) # Client downloads the patched file. _download(url=url_to_repo, filename=downloaded_file, using_tuf=using_tuf) # Content of the downloaded file. downloaded_content = util_test_tools.read_file_content(downloaded_file) if SECOND_CONTENT != downloaded_content: raise TestSetupError('[Update] Failed to update the file.') # Attacker tries to be clever, he manages to modifies regular and tuf # targets directory by replacing a patched file with an old one. if using_tuf: # Delete the current TUF repository... shutil.rmtree(tuf_repo) # ...and replace it with a previous copy. shutil.move(tuf_repo_copy, tuf_repo) else: # Delete the current file... util_test_tools.delete_file_at_repository(filepath) # ...and replace it with a previous copy. shutil.copy(original_file, reg_repo) try: # Client downloads the file once more. _download(url=url_to_repo, filename=downloaded_file, using_tuf=using_tuf) except tuf.NoWorkingMirrorError, exception: replayed_metadata_attack = False for mirror_url, mirror_error in exception.mirror_errors.iteritems( ): if isinstance(mirror_error, tuf.ReplayedMetadataError): replayed_metadata_attack = True break # In case we did not detect what was likely a replayed metadata attack, # we reraise the exception to indicate that replayed metadata attack # detection failed. if not replayed_metadata_attack: raise else:
def test_mix_and_match_attack(using_tuf=False): """ Attack design: There are 3 stages: Stage 1: Consists of a usual mode of operations using tuf. Client downloads a target file. (Initial download) Stage 2: The target file is legitimately modified and metadata correctly updated. Client downloads the target file again. (Patched target download) Stage 3: The target file is legitimately modified and metadata correctly updated again. However, before client gets to download the newly patched target file the attacker replaces the release metadata, targets metadata and the target file with the ones from stage 1 (mix-and-match attack). Note that timestamp metadata is untouched. Further note that same would happen if only target metadata, and target file are reverted. """ ERROR_MSG = '\tMix-And-Match Attack was Successful!\n\n' try: # Setup / Stage 1 # --------------- root_repo, url, server_proc, keyids = util_test_tools.init_repo(using_tuf) reg_repo = os.path.join(root_repo, 'reg_repo') downloads = os.path.join(root_repo, 'downloads') evil_dir = tempfile.mkdtemp(dir=root_repo) # Add file to 'repo' directory: {root_repo} filepath = util_test_tools.add_file_to_repository(reg_repo, 'A'*10) file_basename = os.path.basename(filepath) url_to_file = url+'reg_repo/'+file_basename downloaded_file = os.path.join(downloads, file_basename) # Attacker saves the initial file. shutil.copy(filepath, evil_dir) unpatched_file = os.path.join(evil_dir, file_basename) if using_tuf: print('TUF ...') tuf_repo = os.path.join(root_repo, 'tuf_repo') tuf_targets = os.path.join(tuf_repo, 'targets') metadata_dir = os.path.join(tuf_repo, 'metadata') release_meta_file = os.path.join(metadata_dir, 'release.txt') targets_meta_file = os.path.join(metadata_dir, 'targets.txt') target = os.path.join(tuf_targets, file_basename) # Update TUF metadata before attacker modifies anything. util_test_tools.tuf_refresh_repo(root_repo, keyids) # Attacker saves the original metadata and the target file. #shutil.copy(target, evil_dir) shutil.copy(release_meta_file, evil_dir) shutil.copy(targets_meta_file, evil_dir) #target_old = os.path.join(evil_dir, file_basename) release_meta_file_old = os.path.join(evil_dir, 'release.txt') targets_meta_file_old = os.path.join(evil_dir, 'targets.txt') # Modify the url. Remember that the interposition will intercept # urls that have 'localhost:9999' hostname, which was specified in # the json interposition configuration file. Look for 'hostname' # in 'util_test_tools.py'. Further, the 'file_basename' is the target # path relative to 'targets_dir'. url_to_file = 'http://localhost:9999/'+file_basename # Wait for some time to let program set up local http server time.sleep(1) # Client's initial download. _download(url_to_file, downloaded_file, using_tuf) # Stage 2 # ------- # Developer patches the file and updates the repository. util_test_tools.modify_file_at_repository(filepath, 'B'*11) # Updating tuf repository. This will copy files from regular repository # into tuf repository and refresh the metadata if using_tuf: util_test_tools.tuf_refresh_repo(root_repo, keyids) # Client downloads the patched file. _download(url_to_file, downloaded_file, using_tuf) downloaded_content = util_test_tools.read_file_content(downloaded_file) # Stage 3 # ------- # Developer patches the file and updates the repository again. util_test_tools.modify_file_at_repository(filepath, 'C'*10) # Updating tuf repository. This will copy files from regular repository # into tuf repository and refresh the metadata if using_tuf: util_test_tools.tuf_refresh_repo(root_repo, keyids) # Attacker replaces the metadata and the target file. shutil.copyfile(unpatched_file, target) shutil.copyfile(release_meta_file_old, release_meta_file) shutil.copyfile(targets_meta_file_old, targets_meta_file) # Attacker replaces the patched file with the unpatched one. shutil.copyfile(unpatched_file, filepath) # Client tries to downloads the newly patched file. try: _download(url_to_file, downloaded_file, using_tuf) except tuf.NoWorkingMirrorError as errors: for mirror_url, mirror_error in errors.mirror_errors.iteritems(): if type(mirror_error) == tuf.BadHashError: print('Caught a Bad Hash Error!') # Check whether the attack succeeded by inspecting the content of the # update. The update should contain 'Test NOT A'. downloaded_content = util_test_tools.read_file_content(downloaded_file) if ('B'*11) != downloaded_content: raise MixAndMatchAttackAlert(ERROR_MSG) finally: util_test_tools.cleanup(root_repo, server_proc)
def test_extraneous_dependency_attack(using_tuf=False): """ <Purpose> Illustrate extraneous dependency attack vulnerability. <Arguments> using_tuf: If set to 'False' all directories that start with 'tuf_' are ignored, indicating that tuf is not implemented. """ ERROR_MSG = 'Extraneous Dependency Attack was Successful!' try: # Setup. root_repo, url, server_proc, keyids = util_test_tools.init_repo(using_tuf) reg_repo = os.path.join(root_repo, 'reg_repo') tuf_repo = os.path.join(root_repo, 'tuf_repo') downloads = os.path.join(root_repo, 'downloads') targets_dir = os.path.join(tuf_repo, 'targets') # Add files to 'repo' directory: {root_repo}. good_dependency_filepath = util_test_tools.add_file_to_repository(reg_repo, 'the file you need') good_dependency_basename = os.path.basename(good_dependency_filepath) bad_dependency_filepath = util_test_tools.add_file_to_repository(reg_repo, 'the file you don\'t need') bad_dependency_basename = os.path.basename(bad_dependency_filepath) # The dependent file lists the good dependency. dependent_filepath = util_test_tools.add_file_to_repository(reg_repo, 'requires:'+good_dependency_basename) dependent_basename = os.path.basename(dependent_filepath) url_to_repo = url+'reg_repo/'+dependent_basename # List the bad dependency first. If an attacker modifies a target by # simply appending the file contents, tuf.download will ignore the appended # data, downloading only as much data as the TUF metadata says the target # should contain. modified_dependency_list = bad_dependency_basename+','+\ good_dependency_basename if using_tuf: # Update TUF metadata before attacker modifies anything. util_test_tools.tuf_refresh_repo(root_repo, keyids) # Modify the url. Remember that the interposition will intercept # urls that have 'localhost:9999' hostname, which was specified in # the json interposition configuration file. Look for 'hostname' # in 'util_test_tools.py'. Further, the 'file_basename' is the target # path relative to 'targets_dir'. url_to_repo = 'http://localhost:9999/'+dependent_basename # Attacker modifies the depenent file in the targets repository, adding # the bad dependency to its list. dependent_target_filepath = os.path.join(targets_dir, dependent_basename) util_test_tools.modify_file_at_repository(dependent_target_filepath, 'requires:'+modified_dependency_list) # Attacker modifies the depenent file in the regular repository, adding # the bad dependency to its list. util_test_tools.modify_file_at_repository(dependent_filepath, 'requires:'+modified_dependency_list) # End of Setup. try: # Client downloads (tries to download) the file. _download(url_to_repo, dependent_basename, downloads, using_tuf) except tuf.NoWorkingMirrorError, error: # We only set up one mirror, so if it fails, we expect a # NoWorkingMirrorError. If TUF has worked as intended, the mirror error # contained within should be a BadHashError. mirror_error = \ error.mirror_errors[url+'tuf_repo/targets/'+dependent_basename] assert isinstance(mirror_error, tuf.BadHashError) else: