Uptane V.2.0.0: Open source standard for securing automotive computing units releases new version

On March 18, the Uptane project, an open community effort to secure and protect software delivered over-the-air to automobiles, announced the release of Uptane V.2.0.0 Standard for Design and Implementation. This new edition of the Uptane Standard and the companion reference document Deployment Best Practices reflect the project’s evolution towards greater adaptability to the needs of legacy systems and the emerging threats of sophisticated and persistent attackers.

In the new Standards volume, the Uptane project mandates a few key added actions — such as improving the process for verifying the authenticity of an image before downloading — while allowing more flexibility in implementations than in previous releases. An example of this latter change was the decision to remove references to the original Uptane-specific time server, instead letting implementers make their own decisions about secure sources of reliable time.

The changes in Uptane V.2.0.0 fall into three categories: design changes, to improve security; language changes, to continue an ongoing commitment to clarity and simplicity; and policy/administrative changes, to bring the Uptane project in line with best practices in Standards development. The administrative changes, which are also intended to help the Uptane project preserve architectural integrity, include the adoption of a formal policy for approving major and minor releases. This new edition of Uptane also reflects the adoption of a style guide to ensure consistency in spelling, capitalization, and the use of punctuation.

As is customary in major releases, there are a few clarifications in Uptane V.2.0.0 worth noting. None of these clarifications significantly change the code base of existing Uptane implementations, so they should not cause compatibility issues. In addition to removing the requirement for use of the Uptane-specific time server and adding a requirement for an enhanced verification process, these Uptane V.2.0.0 changes also include:

• recommending that filenames of images be encoded to prevent a path traversal on the client system.
• requiring monitoring the download speed of image metadata and image binaries to detect and defend against a slow retrieval attack.
• requiring that a vehicle identifier be used when Targets metadata from the Director repository includes no images, to prevent replay attacks.

In terms of language changes, the Uptane Standard now rigorously restricts the use of conformance imperatives — words such as SHALL or MUST that have specific meaning when used in standards — to the cases where they are actually required for interoperation or limiting behavior with the potential for causing harm. Uptane V.2.0.0 also clarifies the functional properties of cryptographic keys, so that signing keys (which must be unique) are not confused with encryption keys (which can be shared-use keys). Uptane V.2.0.0 also clarifies that all primary ECUs always perform full verification on downloaded software update packages.

Uptane Standard for Design and Implementation is available for download in HTML and PDF formats through the Uptane website. The companion volume, Uptane Deployment Best Practices will be available for download from the website in the next few weeks.

Uptane was developed by a team of engineers that included Dr. Justin Cappos, associate professor of computer science and engineering at NYU Tandon School of Engineering and director of its Secure Systems Lab. Dr. Cappos remains an active contributor to the project, serving as a member of the project’s steering committee. The lab also continues to contribute to the project’s development through the work of Ph.D. candidate Marina Moore, and alumni like Dr. Trishank Karthik Kuppusamy, now engineering manager at Datadog. Uptane is a Joint Development Foundation project of the Linux Foundation.