Introduction to TUF and Notary

​

Justin {Cormack,Cappos}

There exists an attack vector

• When exploited has nearly unlimited privileges
• Traditional defenses are ineffective
• Ubiquitous
• A failed attack often appears benign
• Exploited by the best hackers in the world

​

2

Many Victims...

3

Doesn’t crypto just work?

SSL / TLS (online key)

Protects users from man-in-the-middle attacks

5

Repository

User

SSL / TLS (online key)

If the repository is compromised, the user gets compromised.

6

Repository

User

GPG (offline key)

• Key distribution?
• Separation of Trust?
• Revocation?

7

Some basic attacks...

8

Attack: Slow Retrieval

Goal: Silently prevent a client from obtaining an update

Attack: When a client tries to update, send

at

a

very

slow

rate

...

9

Attack: Endless Data

Goal: Crash the software updater or the hosting machine

Attack: When a client makes a request, just send data infinitely...

10

Problem: Endless Data

yum package manager:

    - Used by RedHat, Fedora, and many other popular distributions

    - Updates software on Linux machines

    - Runs as root

    - Would download an update first, writing it to disk

    - Would download until the server stops sending

    - Fills the disk, crashes and prints no error.

        Can't even write the problem to the syslog!

11

Attack: Zip Bomb

Goal: Crash the software updater or the hosting machine

Attack: send a ZIP file designed to crash or render useless the program or system reading it

​

(Similar attacks exist for XML, PGP.)

12

Attack: Duplicate Files in Zip

Goal: Insert an arbitrary file into a package

Mechanism: List a file multiple times (one malicious, one correct). The SU may check the wrong one.

​

Example: Google APK

​

13

Arbitrarily Modify Updates

Goal: Run arbitrary malicious code on the device

Attack: Attacker changes software package.

Provide it in place of normal update.

Solution: Use encryption -- Not a panacea

14

Attack: Reverting Packages

Goal: Downgrade a package to an earlier version (likely with known vulnerabilities)

Solution: Ensure version numbers increase (unless the user requested a downgrade)

15

Attack: Freeze Attack

Goal: Prevent updates forever

Mechanism: Replay the last known data forever

Solution: Have an uncompromised party sign files periodically

(This is implicit for an uncompromised repository using TLS)

Clients check that the signature is not older than a certain date.

16

Attack: Mix-and-Match Attack

Goal: Compromise users by causing them to install vulnerable packages

Mechanism: Repo signs snapshot of released packages

17

firefox

libc-secure

libc-vulnerable

x

snapshot

firefox

libc-secure

Attack: Extraneous

Dependencies

Goal: Cause vulnerable or incompatible packages to be installed.

Mechanism: Replace metadata with different dependency information

Example in the wild: npm (2016)

18

firefox

libc

sendmail 1.0

+

Attack: Depends on Everything

Goal: DOS / wasted bandwidth

Mechanism: Replace metadata with dependencies on all packages

All packages are downloaded

​

19

firefox

chrome

opera

+

safari

iexplore

+

+

+

Attack: Unsatisfiable Dependencies

Goal: Prevent package installation

Mechanism: Replace metadata with missing / conflicting dependencies

Stops package manager from performing installation

Can also be caused be a developer removing packages from a repo

npm

20

Attack: Provides Everything

Goal: Cause a vulnerable package to be installed

Mechanism: Make a flawed package provide a virtual dependency for everything

Vulnerable package is installed by all parties

21

sendmail 1.0

firefox

iexplore

chrome

safari

opera

Attack: Compromise

Goal: Arbitrarily change packages

• 2008: Fedora signing key may have been compromised
• 2008: Attackers compromise Red Hat and sign malicious OpenSSH packages
• 2012: Flame exploits MD5 in Microsoft Windows Update
• 2012: Adobe revokes stolen certificate used to sign malware
• 2013: Attackers may have stolen SSL certificate for PHP
• 2013: Users installed malware signed with stolen Opera certificate
• 2014: npm RCE bug may have leaked SSL keys
• 2016: Malware gang steals code-signing certificates
• [many recent incidents omitted]
• etc…
• Mechanism: Compromise a package repo
• including HSMs, signing keys, etc.

​

22

Enter TUF!

Be compromise-resilient!

Key management, etc.

Support, don’t judge!

23

TUF Goal: Compromise-Resilience

Goal: Minimize damage from attack

Minimize likelihood of successful attack

Contain impact of successful attacks

​

24

Explicit & Implicit Revocation

Expiration

Revocation

25

Responsibility Separation

26

timeliness

Root of trust

content

consistency

Minimize Risk

27

DAMAGE ~= PROBABILITY x IMPACT

High-impact role?

Low-impact role

Highly secure keys

Online keys?

Multi-signature Trust

28

​

​

​

​

{ "_type" : "root",

"compression_algorithms": [ ... ],

"consistent_snapshot":,

"version" : VERSION,

"expires" : EXPIRES,

"keys" : {

KEYID : KEY

, ... },

"roles" : {

ROLE : {

"keyids" : [ KEYID, ... ] ,

"threshold" : THRESHOLD }

, ... }

}

​

​

Roles in TUF

• Responsibility separation.
• Multitrust signatures (a.k.a. two-man rule).
• Explicit and implicit revocation of keys.
• Minimizing risk (with offline keys).

29

ε

timestamp

metadata

packages

online

keys

offline

keys

signs metadata for

target

package

signs root keys for

delegates packages to

root

snapshot

projects

A1

BC

A.pkg

C.gz

signs for packages

A.*

B.*, C.*

*.pkg

A2

B.tar

TUF Key Hierarchy

30

Root

TUF Metadata Verification

31

Root

Targets

Snapshot

Timestamp

David

Justin

TUF

Notary

• implementation of TUF for container applications
• CNCF project
• written in Go, use as library or server
• allows some flexibility in how you validate trust
• integrated into many container registries
• Docker Hub
• Azure
• IBM Cloud
• Harbor

​

​

Integrations

Beyond TUF

What is coming for TUF?

Things TUF does not protect against...

​

​

​

34