An operating system's utility is largely defined by the software it can run. Such software is commonly installed and updated using package managers, library managers or application updaters that communicate with remote repositories or mirrors. As such, software installation and updates are strongly susceptible to attacks. Whether it is smuggling in backdoors, refusing to update important features and security patches, or crashing the updating client, the attack scenarios are widely diverse, but all can be costly. As a consequence many existing software update systems offer security mechanisms that seek to prevent such scenarios. Two important concepts to provide authentication and software integrity are transport layer security and cryptographically signed files. This talk reveals the limitations of the above security mechanisms, and presents an alternative. TUF is an update framework that uses multiple levels of delegation, key thresholds, and both implicit and explicit trust revocation, to not only shield users against a variety of attacks, but also make update systems especially resilient against key compromises. TUF is the first software update infrastructure that is resilient to compromises of both the repository and signing keys. It has been standardized by several groups, including Python, and is used in production by many communities, including LEAP, AppContainer, Flynn, Docker, and several automotive vendors. Some mechanisms and concepts from TUF have already been integrated into apt.
Speakers: Lukas Puehringer