How TUF can secure software systems from update vulnerabilities
A new open source technology to secure software system updates called The Update Framework, has become the first specification and security project to graduate from the CNCF incubation process. This complements other tools to secure various aspects of the software supply chain.
Over the past couple years, The Update Framework (TUF) has grown into a de facto standard to secure software system updates for many kinds of applications. It has been adopted by Amazon, Microsoft, Cloudflare, Datadog, IBM and others. The car industry has even created an automotive version of TUF called Uptane, which is expected to run on one-third of new cars by 2023.
“TUF is something that should be enabled as part of securing your software supply chain,” said Justin Cappos, associate professor of computer science and engineering at NYU and who pioneered early work on the framework in 2009. TUF reduces the effect of compromised software keys, malicious employees or sophisticated attacks on software repositories and works in concert with other secure software systems.
“In my view, git signing, TUF and having some sort of verification on your build or CI/CD pipeline are all about equally important,” he said. Over the past several years, hackers have found a variety of ways to compromise the software supply chain for targeted attacks such as stealing bitcoin wallets.
Secure software system adoption
The first major inflection point in TUF’s adoption was Docker’s development of Notary. From there, TUF visibility and adoption grew over time. Now there are multiple implementations of TUF that are used in the cloud, although Notary is still the most widely used and there are other options used outside the cloud.
The technology is being developed by a variety of domains, including automotive, cloud native, traditional operating systems, embedded systems, programming languages and even lawyers that want to protect the provenance of laws. “We’ve been happy to see the ideas in TUF take root in different communities and happy to help to foster them,” Cappos said.
TUF integrates well with other Agile methodologies and software supply chain tools. For example, a team led by Trishank Kuppusamy — a staff security engineer at Datadog — combined TUF and in-toto to provide more comprehensive protection to publish new Datadog integrations. TUF mitigates the effect of a key compromise for a packaged or containerized piece of software, while in-toto provides the ability to verify the whole software supply chain.
TUF makes it easy to update software when an organization doesn’t have perfect operational security because it contains successful attacks and limits their score. For example, let’s say an attacker successfully breaks into the software repository at an automaker. They steal the signing keys on that repository and have the ability to give updates to clients. The attacker would then have the ability to do things like tell you there hasn’t been a new update when there has been one. The automotive version of TUF, called Uptane, would prevent this.
“If a similar compromise happens with updaters that don’t have the compromise resilience feature, the attacker could push updates to critical parts of your vehicle, such as your brakes,” Cappos said. “Clearly, one would be much safer in a vehicle with Uptane in this case.”
A key design principle of TUF was to make it easy to integrate with existing software update systems. “Once you set it up, everyone just does the sorts of things they usually do,” Cappos said. Developers produce secure software systems as they generate TUF metadata rather than signing the code with GPG or other code signing tools. Repository administrators don’t do anything special once it’s set up. End users often won’t even know TUF is there unless there’s an attack and they’re protected.
The future of secure software systems
The TUF team is also working with the Python community to help protect their package infrastructure. Cappos said they would also like to work with the medical device and power grid communities but they have other pressing challenges at the moment.
There are other efforts to simplify key rotation that could make TUF more appealing across domains. “Without bloating the specification, we will continue to integrate good ideas from all sources and build a common, secure software system update mechanism that can be used across nearly any domain,” Cappos said.