A Framework for Securing Software Update Systems
The Update Framework (TUF) helps developers to secure new or existing software update systems, which are often found to be vulnerable to many known attacks. TUF addresses this widespread problem by providing a comprehensive, flexible security framework that developers can integrate with any software update system. The framework can be easily integrated (or implemented in the native programming languages of these update systems) due to its concise, self-contained architecture and specification. Developers have so far implemented the framework in the Python, Go, Ruby, and Haskell programming languages.
What is a software update system?
Generally, a software update system is an application (or part of an application) running on a client system that obtains and installs software. This can include updates to software that is already installed or even completely new software.
Three major classes of software update systems are:
- Application updaters which are used by applications use to update themselves. For example, Firefox updates itself through its own application updater.
- Library package managers such as those offered by many programming languages for installing additional libraries. These are systems such as Python's pip/easy_install + PyPI, Perl's CPAN, Ruby's Gems, and PHP's PEAR.
- System package managers used by operating systems to update and install all of the software on a client system. Debian's APT, Red Hat's YUM, and openSUSE's YaST are examples of these.
There are literally thousands of different software update systems in common use today. (In fact the average Windows user has about two dozen different software updaters on their machine!)
We built a specification and library that can be universally (and in most cases transparently) used to secure software update systems.
September 22, 2016
TUF now welcomes proposals to extend the specification! For more information, please see TUF Augmentation Proposals (TAPs).
August 24, 2016
Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon North America. Slides of his talk are available here: https://events.linuxfoundation.org/events/linuxcon-north-america/program/slides
February 22, 2016
David Lawrence and Ying Li from Docker are scheduled to present at PyCon 2016. The title of their presentation is: When the going gets tough, get TUF going
February 19, 2016
The Update Framework now has a logo to call its own. Thanks is given to Maria Jose Barrera (https://twitter.com/joseemari) for creating the logo, and to Santiago Torres for making it happen.
February 18, 2016
The camera-ready version of "Diplomat: Using Delegations to Protect Community Repositories" was recently submitted to NSDI 2016. The paper is freely available here on our website.
August 12, 2015
In TUF adoption news... the Docker team announced Docker Content Trust, which integrates TUF via Notary. Docker Content Trust will be available starting with Docker 1.8, and supports image signing and verification. For more information on the Docker + TUF integration, please visit: https://blog.docker.com/2015/08/content-trust-docker-1-8/
How do I learn more?
For more information, look at the following:
- Diplomat: Using Delegations to Protect Community Repositories
- Survivable Key Compromise in Software Update Systems
- A Look in the Mirror: Attacks on Package Managers
- Package Management Security
LEAP Encryption Access Project
- Docker registry bindings for The Update Framework in Python. Uses dxf to store TUF metadata and target files in a Docker registry.
Securing Python package management
- PEP 458: Securing the Link from PyPI to the End User
- PEP 480: Surviving a Compromise of PyPI
- PyCon 2013 lightning talk (Slides)
- PyCon US 2011 talk
- Test pip with TUF
- Automation for creating, updating and destroying a TUF-secured PyPI mirror
- Source code of pip with TUF
Securing Ruby package management
- Developers from Square have demonstrated an initial implementation of TUF for RubyGems
- Atlassian Dev Den Tech Talk Series: Securing Rubygems with TUF
- Securing RubyGems with TUF, Part 1
- Securing RubyGems with TUF, Part 2
- Securing RubyGems with TUF, Part 3
CoreOS App Container Specification
Hackage, Haskell's Central Package Archive
Signing the OPAM Repository: TUF Meets Git
- Secure Software Distribution in an Adversarial World - Duo Tech Talk
- Docker: With Content Trust, You Can Run Containers on Untrusted Networks
- Notary demoed at the DockerCon 2015 keynote
- LWN.net: Docker image "verification"
- Poster at PyCon 2015
- LWN.net: Protecting Python package downloads
- The Linux Magazine: TUF Love
- Docker Image Insecurity
- Hacker News: Incremental Plans to Improve Python Packaging
- Promotional materials on TUF (The Update Framework) w/ Justin Cappos and Trishank Kuppusamy
- Slashdot: Package Managers As Achilles Heel
This material is based upon work supported by the National Science Foundation under Grant No. CNS-1345049 and CNS-0959138. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.