A Framework for Securing Software Update Systems
The Update Framework (TUF) helps developers to secure new or existing software update systems, which are often found to be vulnerable to many known attacks. TUF addresses this widespread problem by providing a comprehensive, flexible security framework that developers can integrate with any software update system. The framework can be easily integrated (or implemented in the native programming languages of these update systems) due to its concise, self-contained architecture and specification. Developers have so far implemented the framework in the Go, Haskell, Python, Ruby, and Rust programming languages.
TUF is hosted by the Cloud Native Computing Foundation (CNCF) and follows the CNCF Code of Conduct.
What is a software update system?
Generally, a software update system is an application (or part of an application) running on a client system that obtains and installs software. This can include updates to software that is already installed or even completely new software.
Three major classes of software update systems are:
- Application updaters which are used by applications use to update themselves. For example, Firefox updates itself through its own application updater.
- Library package managers such as those offered by many programming languages for installing additional libraries. These are systems such as Python’s pip/easy_install + PyPI, Perl’s CPAN, Ruby’s Gems, and PHP’s PEAR.
- System package managers used by operating systems to update and install all of the software on a client system. Debian’s APT, Red Hat’s YUM, and openSUSE’s YaST are examples of these.
There are literally thousands of different software update systems in common use today. (In fact the average Windows user has about two dozen different software updaters on their machine!)
We built a specification and library that can be universally (and in most cases transparently) used to secure software update systems.
October 24, 2017
The Cloud Native Computing Foundation announces at Open Source Summit Europe that it was adding TUF as its 14th hosted project. Notary, Docker’s implementation of TUF, was also added at that time. https://www.cncf.io/announcement/2017/10/24/cncf-host-two-security-projects-notary-tuf-specification/
September 8, 2017
Cloudfare releases PAL, a container identity bootstrapping tool. It is open source and uses Notary, Docker’s implementation of TUF. PAL “confirms that a specific container hash maps to specific metadata like a container’s name and label.” https://blog.cloudflare.com/pal-a-container-identity-bootstrapping-tool/
July 5, 2017
TUF will be featured in DebConf17, an “annual conference for Debian contributors and users interested in improving Debian.” The conference will take place in Montreal, Canada, August 6 - 12, 2017. https://debconf17.debconf.org/talks/153/
July 3, 2017
Dr. Trishank Karthik Kuppusamy defended his dissertation on TUF and Uptane. Congratulations! Work on these projects will continue as Sebastien, Vlad, Justin, and others move forward!
May 10, 2017
Justin Cappos gave a talk on TUF, Uptane, and in-toto at DockerCon 2017.
October 10, 2016
Lily Guo and Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon+ContainerCon Europe 2016. Slides of their talk are available here.
September 22, 2016
TUF now welcomes proposals to extend the specification! For more information, please see TUF Augmentation Proposals (TAPs).
August 24, 2016
Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon North America. Slides of his talk are available here: https://events.linuxfoundation.org/events/linuxcon-north-america/program/slides
February 22, 2016
David Lawrence and Ying Li from Docker are scheduled to present at PyCon 2016. The title of their presentation is: When the going gets tough, get TUF going
February 19, 2016
The Update Framework now has a logo to call its own. Thanks is given to Maria Jose Barrera (https://twitter.com/joseemari) for creating the logo, and to Santiago Torres for making it happen.
February 18, 2016
The camera-ready version of “Diplomat: Using Delegations to Protect Community Repositories” was recently submitted to NSDI 2016. The paper is freely available here on our website.
August 12, 2015
In TUF adoption news… the Docker team announced Docker Content Trust, which integrates TUF via Notary. Docker Content Trust will be available starting with Docker 1.8, and supports image signing and verification. For more information on the Docker + TUF integration, please visit: https://blog.docker.com/2015/08/content-trust-docker-1-8/
How do I learn more?
For more information, look at the following:
- Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories
- Diplomat: Using Delegations to Protect Community Repositories
- Survivable Key Compromise in Software Update Systems
- A Look in the Mirror: Attacks on Package Managers
- Package Management Security
Security issues can be reported by emailing email@example.com.
At a minimum, the report must contain the following:
- Description of the vulnerability.
- Steps to reproduce the issue.
Optionally, reports that are emailed can be encrypted with PGP. You should use PGP key fingerprint E9C0 59EC 0D32 64FA B35F 94AD 465B F9F6 F8EB 475.
- Advanced Telematic Systems is working on a Rust implementation of TUF to secure over-the-air software updates in automobiles
Docker Content Trust
LEAP Encryption Access Project
- Docker registry bindings for The Update Framework in Python. Uses dxf to store TUF metadata and target files in a Docker registry.
Securing Python package management
- PEP 458: Securing the Link from PyPI to the End User
- PEP 480: Surviving a Compromise of PyPI
- PyCon 2013 lightning talk (Slides)
- PyCon US 2011 talk
- Test pip with TUF
- Automation for creating, updating and destroying a TUF-secured PyPI mirror
- Source code of pip with TUF
Securing Ruby package management
- Developers from Square have demonstrated an initial implementation of TUF for RubyGems
- Atlassian Dev Den Tech Talk Series: Securing Rubygems with TUF
- Securing RubyGems with TUF, Part 1
- Securing RubyGems with TUF, Part 2
- Securing RubyGems with TUF, Part 3
CoreOS App Container Specification
Hackage, Haskell’s Central Package Archive
Signing the OPAM Repository: TUF Meets Git
- Conex release announcement
- Implementation of conex
- Initial proposal to secure the distribution of OCaml packages
- The Cloud Native Computing Foundation adds two security projects to its open source stable
- CNCF Adds 2 Projects to better secure containers
- Cloud Native Computing Foundation Adopts 2 Security Projects
- CNCF Brings Security to the Cloud Native Stack with Notary, TUF adoption
- Justin Cappos delivers a talk about TUF at DockerCon 17
- Python’s Podcast.init runs a segment called “Securing your Software Updates with Justin Cappos-Episode 99”
- Justin Cappos presented TUF (and ongoing work in securing software updates in automobiles and the software supply chain) at Docker’s Distributed Systems Summit 2016
- Secure Software Distribution in an Adversarial World - Duo Tech Talk
- Docker: With Content Trust, You Can Run Containers on Untrusted Networks
- Notary demoed at the DockerCon 2015 keynote
- LWN.net: Docker image “verification”
- Poster at PyCon 2015
- LWN.net: Protecting Python package downloads
- The Linux Magazine: TUF Love
- Docker Image Insecurity
- Hacker News: Incremental Plans to Improve Python Packaging
- Promotional materials on TUF (The Update Framework) w/ Justin Cappos and Trishank Kuppusamy
- Slashdot: Package Managers As Achilles Heel
This material is based upon work supported by the National Science Foundation under Grant No. CNS-1345049 and CNS-0959138. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.