The Update Framework

A framework for securing software update systems

Security

We can think of a software update system as “secure” if:

Making this happen requires workable preventive strategies against a number of potential attacks.

Attacks and Weaknesses

The following are some of the known attacks on software update systems, including the weaknesses that make these attacks possible. To design a secure software update framework, these attacks need to be understood and strategies to defend against them must be specified. Some of these issues are, or can be, related, depending on the design and implementation of the given software update system.

Security Design Principles

To ensure systems are secure against all of the above attacks, the design and implementation of TUF relies on a few basic concepts. For details of how TUF conveys the information discussed below, see the Metadata documentation.

Trust

Trusting downloaded files really means assuming the files were provided by party without malicious designs. Two frequently overlooked aspects of trust in a secure software update system are:

Mitigating Key Risk (Compromise-Resilience)

Cryptographic signatures are a necessary component in securing a software update system. The safety of the keys used to create these signatures directly affects the security of the clients the system protects. Rather than naively assume that private keys are always safe from compromise, a secure software update system must anticipate how to keep clients as safe as possible when a compromise of those keys occurs. This is the basic principle of compromise resilience.

Keeping clients safe despite a key compromise involves:

Integrity

Ensuring integrity in TUF not only refers to single files, but also to repository as a whole. It’s fairly obvious that clients must verify that individual downloaded files are correct. It’s not as obvious, but still very important for clients to be certain that their entire view of a repository is correct. For example, if a trusted party is providing two files, a software update system should see the latest versions of both files, not just one, and not versions of the two files that were never provided together.

Freshness

Since software updates often fix security bugs, it is important for software update systems to obtain the latest versions available of these files. An attacker may want to trick a client into installing outdated versions of software or even just convince a client that no updates are available.

Ensuring freshness means:

Note that it won’t always be possible for a client to successfully update if an attacker is responding to their requests. However, a client should be able to recognize that updates may exist that they haven’t been able to obtain.

Implementation Safety

In addition to a secure design, TUF also works to be secure against implementation vulnerabilities, including those common to software update systems. In some cases this is assisted by the inclusion of additional information in metadata. For example, knowing the expected size of a target file that is to be downloaded allows TUF to limit the amount of data it will download when retrieving the file. As a result, TUF is secure against endless data attacks (discussed above).