A Usable Formal Methods Sample Problem from TEEP


This draft follows the invitation of [I-D.farrell-ufmrg-sample] to propose another sample problem for demonstration, training, and evaluation of formal methods in IETF work. It draws on recent work from the Software Updates for the Internet of Things [suit] and Trusted Execution Environment Provisioning [teep] working groups to define a sample modeling problem for a novel rather than a familiar IETF protocol.

Table of Contents

1. Introduction

In this draft we take the Trusted Execution Environment Provisioning protocol [I-D.ietf-teep-protocol] to be a good domain from which to draw a sample modeling problem for slightly different reasons than those proposed in [I-D.farrell-ufmrg-sample].

  1. TEEP is a proposed standard under active development, at working-group consensus as of this writing. Formal modeling, even for demonstration or training purposes, can therefore increase familiarity with the TEEP protocol, including outside of the SUIT and TEEP working groups directly involed in its development.

  2. The TEEP protocol is expressly concerned with security, so it has security properties amenable to formal description, modeling, and analysis. Any findings may have valuble security implications.

  3. The TEEP protocol has well-defined use cases and includes provisions for constrained environments. Modeling the entire protocol is a reasonble learning or training exercise, whereas [I-D.farrell-ufmrg-sample] limits itself to just the SEARCH command of [RFC9051].

  4. The TEEP protocol follows a typical protocol design in the IETF where various already standardized technologies are re-used. In this case, protocols from the Software Updates for Internet of Things (SUIT) architecture [RFC9019] and from the Remote attestation procedures (RATS) architecture [RFC9334] are incorporated into the design.

  5. The architecture of the TEEP protocol is also representative for IETF protocol development since more than two parties are involved in the communication even in a single deployment setup. Whether the formal model also has to consider all parties or a simplified design is subject for discussion.

  6. The TEEP protocol also provides a number of options to offer flexibility in different deployments. This is also a characteristic found in many IETF protocols. Dealing with the formal analysis of all options is a challenge.

3. The Trusted Execution Environment Provisioning (TEEP) Protocol

The Trusted Execution Environment Provisioning protocol [I-D.ietf-teep-protocol] specifies communication between a Trusted Application Manager [RFC9397] (Section 2) and a TEEP agent. Importantly, this communication is relayed by an untrusted TEEP Broker [RFC9397] (Section 6.1). Two security sensitive payloads are communicated via the TEEP protocol, namely:

A Trusted Application is an application (or, in some implementations, an application component) that runs in a TEE.

A Trusted Component is a set of code and/or data in a TEE managed as a unit by a Trusted Application Manager. Trusted Applications and Personalization Data are thus managed by being included in Trusted Components.

TCs are provided by developers, or authors, and integrity and (optionally) confidentiality protected with the help of SUIT manifests. The TEEP protocol specification uses the term 'Trusted Component Signer' to refer to authors. Neither the TAM nor the TEEP Broker should be able to modify TCs. TEEP Agents only install TCs from sources they trust.

Attestation Evidence on the other hand is typically communicated from the TEEP Agent to the TAM although there is the option to offer attestation capabilities in both directions. In the description below we only focus on attestation of the Device containing the TEEP Agent to the TAM rather than the other direction.

The description below illustrates the basic communication interaction with details of the TEEP protocol abstracted away.

# TAM -> Verifier: NonceRequest

# TAM <- Verifier: NonceResponse


# TAM -> TEEP Agent: QueryRequest
{token, challenge, supported-teep-cipher-suites,
supported-suit-cose-profiles, data-item-requested(trusted-components,


 - The 'token' is a random number that is used to match the QueryRequest
   against the QueryRespose.
 - 'supported-teep-cipher-suites' and 'supported-suit-cose-profiles' offer cipher suite negotation.
 - 'data-item-requested(X)' indicates the functionality the TAM requests the TEEP Agent to perform.
 - {_}SK_TAM indicates the a digital signature operation over the payload of the message using a
private (or secret) key that is only known to the TAM.

# TEEP Agent -> Attester: EvidenceRequest

# TEEP Agent <- Attester: EvidenceResponse
{Challenge, Claims}SK_Attester


 - '{Challenge, Claims}SK_Attester' represents the Evidence, which is signed by the Attester using its private key SK_Attester.
In addition to the inclusion of the 'Challenge', the random number provided by the Verifier, it also includes further (unspecified)
claims. While those claims are important for the overall system, they are not in scope of this analysis.

# TAM <- TEEP Agent: QueryResponse
{token, selected-teep-cipher-suite, attestation-payload-format(EAT),
attestation-payload({Challenge, Claims}SK_Attester), tc-list}SK_AGENT


The TEEP Agent signes the QueryResponse message with its private key, SK_AGENT.

# Author -> TAM: SoftwareUpdate
{manifest, sequence_nr, TC}SK_AUTHOR


The author, i.e. Trusted Component Signer, uses his private key, SK_AUTHOR, to sign the bundle.

# TAM -> TEEP Agent: Update
{token2, {manifest, sequence_nr, software}SK_AUTHOR}SK_TAM


The TAM transmits an update to the TEEP Agent containing the previously obtained payloaded provided by the author. This payload is additionally signed with the TAM's private key, SK_TAM.

# TAM <- TEEP Agent: Success

The TEEP Agent returns this message when the software installation was successful. The message is signed with the private key of the TEEP Agent, SK_AGENT.

3.1. Security Properties

In addition to integrity and authentication properties, an important aspect is replay protection.

At the [suit-interim] meeting, the following editorial addition was proposed [thaler] in TEEP's security consideration (Section 10 of [I-D.ietf-teep-protocol]):

  • The TEEP protocol supports replay protection as follows. The transport protocol under the TEEP protocol might provide replay protection, but may be terminated in the TEEP Broker which is not trusted by the TEEP Agent and so the TEEP protocol does replay protection itself. If attestation of the TAM is used, the attestation freshness mechanism provides replay protection for attested QueryRequest messages. If non-attested QueryRequest messages are replayed, the TEEP Agent will generate QueryResponse or Error messages, but the REE can already conduct Denial of Service attacks against the TEE and/or the TAM even without the TEEP protocol. QueryResponse messages have replay protection via attestation freshness mechanism, or the token field in the message if attestation is not used. Update messages have replay protection via the suit-manifest-sequence-number (see Section 8.4.2 of [I-D.ietf-suit-manifest]). Error and Success messages have replay protection via SUIT Reports and/or the token field in the message, where a TAM can detect which message it is in response to.

Any formal model of TEEP should be able to prove this replay protection.

While confidentiality protection is possible for both attestation evidence as well as Trusted Components, it is not mandatory-to-implement functionality.

