%3CLINGO-SUB%20id%3D%22lingo-sub-1449703%22%20slang%3D%22en-US%22%3EHow%20Azure%20Sphere%20prevents%20rollback%20attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1449703%22%20slang%3D%22en-US%22%3E%3CP%3EA%20rollback%20attack%20is%20a%20common%20type%20of%20security%20attack%20in%20which%20an%20attacker%20tricks%20the%20target%20into%20running%20an%20older%2C%20less%20secure%20version%20of%20its%20software.%20Once%20the%20insecure%20software%20is%20running%2C%20the%20attacker%20can%20take%20advantage%20of%20its%20vulnerabilities.%20With%20thousands%20of%20field-deployed%20devices%2C%20Azure%20Sphere%20represents%20a%20likely%20target%20for%20such%20an%20attack.%20Azure%20Sphere%20uses%20two%20main%20strategies%20to%20prevent%20such%20attacks%3A%20one-time%20programmable%20(OTP)%20fuses%20and%20attestation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOne-time%20programmable%20fuses%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOTP%20fuses%20can%20serve%20as%20circuit%20breakers%20that%20are%20built%20into%20the%20hardware.%20On%20Azure%20Sphere%2C%20the%20Pluton%20security%20subsystem%20contains%20several%20such%20fuses%2C%20which%20use%20the%20e-fuse%20technology.%20To%20stop%20trusting%20(and%20running)%20all%20previous%20versions%20of%20the%20OS%2C%20Azure%20Sphere%20%E2%80%9Cblows%E2%80%9D%20an%20e-fuse%20upon%20update%20to%20a%20particular%20release.%20During%20OS%20installation%2C%20the%20bootloader%20compares%20the%20number%20of%20blown%20e-fuses%20on%20the%20device%20to%20the%20number%20expected%20for%20the%20OS%20being%20installed.%20If%20more%20e-fuses%20are%20blown%20than%20the%20software%20expects%2C%20the%20software%20must%20be%20too%20old%2C%20so%20installation%20fails%2C%20and%20the%20last%20known%20good%20version%20of%20the%20OS%20is%20run%20instead.%20The%20number%20of%20e-fuses%20available%20in%20Pluton%20is%20limited.%20Therefore%2C%20we%20blow%20them%20only%20when%20necessary.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAttestation%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EAttestation%3C%2FEM%3E%20requires%20that%20every%20Azure%20Sphere%20device%20prove%20every%2024%20hours%20that%20it%20is%20running%20valid%2C%20trusted%20software%20and%20is%20an%20authentic%20Azure%20Sphere%20device.%20When%20a%20device%20connects%20to%20the%20Azure%20Sphere%20Security%20Service%2C%20it%20provides%20an%20attestation%20value%20that%20combines%20a%20hash%20value%20from%20each%20loaded%20binary%20and%20additional%20data%20from%20the%20device%20with%20a%20nonce%20from%20the%20Security%20Service.%20The%20attestation%20value%20is%20signed%20using%20a%20device-specific%20private%20ECC%20attestation%20key%20that%20was%20generated%20when%20the%20chip%20was%20manufactured.%20The%20key%20is%20stored%20in%20Pluton%2C%20is%20used%20exclusively%20for%20attestation%2C%20and%20is%20inaccessible%20to%20any%20software.%20The%20Security%20Service%20has%20the%20corresponding%20public%20key%2C%20so%20it%20can%20verify%20that%20the%20device%20is%20authentic.%20The%20Security%20Service%20uses%20the%20binary%20hashes%20and%20additional%20data%20to%20verify%20that%20the%20software%20is%20trusted.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20attestation%20succeeds%20and%20the%20software%20is%20trusted%2C%20the%20device%20receives%20the%20certificates%20required%20to%20connect%20to%20the%20Azure%20Sphere%20update%20service%20and%20to%20authenticate%20as%20a%20client%20to%20other%20services.%20If%20the%20attestation%20value%20is%20invalid%20or%20has%20an%20incorrect%20signature%2C%20the%20device%20fails%20attestation%20outright%20and%20does%20not%20receive%20any%20certificates.%20It%20can%20neither%20connect%20to%20the%20update%20service%20nor%20authenticate%20to%20another%20web%20service.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20some%20cases%2C%20however%2C%20the%20Security%20Service%20may%20determine%20that%20the%20binaries%20are%20valid%20but%20are%20not%20trusted.%20This%20check%20guards%20against%20rollback%20attacks%20because%20it%20prevents%20an%20attacker%20from%20loading%20an%20older%20OS%20that%20posts%20a%20security%20risk.%20For%20example%2C%20if%20a%20binary%20contains%20a%20zero-day%20exploit%2C%20Microsoft%20might%20decide%20not%20to%20trust%20it%20as%20part%20of%20the%20attestation%20process.%20In%20this%20situation%2C%20the%20device%20is%20not%20granted%20a%20client%20certificate%2C%20so%20it%20cannot%20connect%20to%20web%20services.%20Instead%2C%20it%20receives%20only%20an%20update%20certificate%20so%20that%20it%20can%20update%20to%20a%20trusted%20version%20of%20the%20software.%20Once%20the%20update%20is%20complete%2C%20the%20device%20restarts%20the%20attestation%20process.%20If%20the%20binaries%20are%20now%20both%20valid%20and%20trusted%2C%20the%20device%20receives%20both%20the%20update%20and%20client%20certificates%20and%20can%20operate%20as%20usual.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%2024%20hours%2C%20the%20certificates%20expire%2C%20and%20the%20device%20must%20repeat%20the%20attestation%20process.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStrong%2C%20flexible%20combination%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20combination%20of%20e-fuses%20and%20attestation%20constitutes%20a%20strong%20yet%20flexible%20range%20of%20protection%20against%20rollback%20attacks.%20Attestation%20using%20secure%20ECC%20keys%20and%20binary%20hashes%20provides%20a%20way%20to%20remove%20trust%20for%20a%20single%20binary%20image%20in%20an%20OS%20release%2C%20a%20single%20OS%20release%2C%20or%20a%20range%20of%20releases%20in%20such%20a%20way%20that%20the%20device%20cannot%20run%20untrusted%20software%20and%20can%20easily%20update%20to%20a%20newer%2C%20trusted%20version.%20Blowing%20an%20e-fuse%20provides%20the%20ability%20to%20remove%20support%20for%20all%20releases%20earlier%20than%20a%20particular%20version%20at%20the%20hardware%20level%2C%20ensuring%20that%20the%20device%20cannot%20run%20older%20software.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20about%20security%20features%20in%20Azure%20Sphere%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2F19bestpractices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBest%20practices%20for%20implementing%20seven%20properties%20in%20Azure%20Sphere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1449703%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Sphere%20uses%20two%20strategies%20to%20prevent%20rollback%20attacks%2C%20a%20common%20security%20attack%20in%20which%20an%20attacker%20tricks%20the%20target%20into%20running%20an%20older%2C%20less%20secure%20version%20of%20its%20software.%3C%2FP%3E%0A%3CDIV%20id%3D%22lia-teaserTinyMceEditorKirsten%20Soelling_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22lia-teaserTinyMceEditorKirsten%20Soelling_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MSC18_droneManufacturingSouthAfrica_004.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199653i086BBB2B4F19F605%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22MSC18_droneManufacturingSouthAfrica_004.jpg%22%20alt%3D%22MSC18_droneManufacturingSouthAfrica_004.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1449703%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20sphere%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

A rollback attack is a common type of security attack in which an attacker tricks the target into running an older, less secure version of its software. Once the insecure software is running, the attacker can take advantage of its vulnerabilities. With thousands of field-deployed devices, Azure Sphere represents a likely target for such an attack. Azure Sphere uses two main strategies to prevent such attacks: one-time programmable (OTP) fuses and attestation.

 

One-time programmable fuses

OTP fuses can serve as circuit breakers that are built into the hardware. On Azure Sphere, the Pluton security subsystem contains several such fuses, which use the e-fuse technology. To stop trusting (and running) all previous versions of the OS, Azure Sphere “blows” an e-fuse upon update to a particular release. During OS installation, the bootloader compares the number of blown e-fuses on the device to the number expected for the OS being installed. If more e-fuses are blown than the software expects, the software must be too old, so installation fails, and the last known good version of the OS is run instead. The number of e-fuses available in Pluton is limited. Therefore, we blow them only when necessary.

 

Attestation

Attestation requires that every Azure Sphere device prove every 24 hours that it is running valid, trusted software and is an authentic Azure Sphere device. When a device connects to the Azure Sphere Security Service, it provides an attestation value that combines a hash value from each loaded binary and additional data from the device with a nonce from the Security Service. The attestation value is signed using a device-specific private ECC attestation key that was generated when the chip was manufactured. The key is stored in Pluton, is used exclusively for attestation, and is inaccessible to any software. The Security Service has the corresponding public key, so it can verify that the device is authentic. The Security Service uses the binary hashes and additional data to verify that the software is trusted.

 

If attestation succeeds and the software is trusted, the device receives the certificates required to connect to the Azure Sphere update service and to authenticate as a client to other services. If the attestation value is invalid or has an incorrect signature, the device fails attestation outright and does not receive any certificates. It can neither connect to the update service nor authenticate to another web service.

 

In some cases, however, the Security Service may determine that the binaries are valid but are not trusted. This check guards against rollback attacks because it prevents an attacker from loading an older OS that posts a security risk. For example, if a binary contains a zero-day exploit, Microsoft might decide not to trust it as part of the attestation process. In this situation, the device is not granted a client certificate, so it cannot connect to web services. Instead, it receives only an update certificate so that it can update to a trusted version of the software. Once the update is complete, the device restarts the attestation process. If the binaries are now both valid and trusted, the device receives both the update and client certificates and can operate as usual.

 

After 24 hours, the certificates expire, and the device must repeat the attestation process.

 

Strong, flexible combination

The combination of e-fuses and attestation constitutes a strong yet flexible range of protection against rollback attacks. Attestation using secure ECC keys and binary hashes provides a way to remove trust for a single binary image in an OS release, a single OS release, or a range of releases in such a way that the device cannot run untrusted software and can easily update to a newer, trusted version. Blowing an e-fuse provides the ability to remove support for all releases earlier than a particular version at the hardware level, ensuring that the device cannot run older software.   

 

For more information about security features in Azure Sphere, see Best practices for implementing seven properties in Azure Sphere.