The Update Framework

A framework for securing software update systems

Overview

A quick look at what TUF does and how it works.

Purpose, or Why Get TUF?

There are literally thousands of different software update systems in common use today. (In fact the computer of an average Windows user probably contains about two dozen different software updaters!)

What these very different systems have in common is that they all identify, locate, and download updates for software that can add new functionalities or address old vulnerabilities. Software is rarely ever static, and some repositories receive updates on software or project metadata every few minutes. This growing flow of updates has also created a need for better ways to protect the systems that manage them. Though a number of strategies have been introduced and used over the last decade or so to enhance the authenticity of update files—and by extension, the security of update systems—most have drawbacks that have left repositories vulnerable to a number of attacks.

TUF was launched almost a decade ago as a way to build system resilience against key compromises and other attacks that can spread malware or compromise a repository. The primary goals behind its design are:

Software Updates 101

A software update system is an application (or part of an application) running on a client system that identifies, obtains, and installs software.

There are three major classes of software update systems:

While these systems may vary in how they work, most follow a similar update procedure. Obtaining and installing an update simply means:

TUF is designed to perform the first two steps of this procedure, while guarding against the majority of attacks that can occur during or after the update. These include threats that other software security strategies may not take into account, such as when:

The Security section offers a full list of the attacks and updater weaknesses that TUF is designed to defend against.

How does TUF secure updates?

In a sense, TUF enhances security by adding verifiable records about the state of a repository or application. By adding metadata containing information about which signing keys are trusted, the cryptographic hashes of files, signatures on the metadata, metadata version numbers, and the date after which the metadata should be considered expired, it creates a record that can be checked to verify the authenticity of update files.

Your software update system never has to deal with this additional metadata or understand what’s going on underneath. TUF identifies the updates, downloads them, and checks them against the metadata that it also downloads from the repository. If the downloaded target files are trustworthy, TUF hands them over to your software update system. See metadata for more information and examples.