Impact
The link files created by in-toto do not reference a layout file nor do they contain timestamps. This allows attackers to replay the first steps by replacing link files with ones from an earlier version or even replay single steps where the hashes of the expected materials match an earlier version. This might allow them to introduce bugs or prevent fixes for bugs that are not visible via the hashes. One such scenario would be the update of a compiler that introduces mitigations similar to Meltdown and Spectre.
Workarounds
X41 recommends to add a globally unique ID to the layout file to be referenced by link files. A weaker mitigation might be to add timestamps into the link files that display when they are created and a timestamp that specifies when the layout file starts being valid (similar to the expiration field) to reduce the time frame in which a link file can be replayed.
This issue can easily be mitigated by just not re-using step names in a layout. However, this is not mandated in the specification as re-using link metadata, e.g. for different supply chains, or generating link metadata independently of any supply chain, are valid use cases. In addition, as with the "Layout replay" threat ITE-2 and ITE-3 are designed to prevent unallowed metadata reuse.
References
Impact
The link files created by in-toto do not reference a layout file nor do they contain timestamps. This allows attackers to replay the first steps by replacing link files with ones from an earlier version or even replay single steps where the hashes of the expected materials match an earlier version. This might allow them to introduce bugs or prevent fixes for bugs that are not visible via the hashes. One such scenario would be the update of a compiler that introduces mitigations similar to Meltdown and Spectre.
Workarounds
X41 recommends to add a globally unique ID to the layout file to be referenced by link files. A weaker mitigation might be to add timestamps into the link files that display when they are created and a timestamp that specifies when the layout file starts being valid (similar to the expiration field) to reduce the time frame in which a link file can be replayed.
This issue can easily be mitigated by just not re-using step names in a layout. However, this is not mandated in the specification as re-using link metadata, e.g. for different supply chains, or generating link metadata independently of any supply chain, are valid use cases. In addition, as with the "Layout replay" threat ITE-2 and ITE-3 are designed to prevent unallowed metadata reuse.
References