Introduction to TUF and Notary
Justin {Cormack,Cappos}
There exists an attack vector
2
Many Victims...
3
Doesn’t crypto just work?
SSL / TLS (online key)
Protects users from man-in-the-middle attacks
5
Repository
User
SSL / TLS (online key)
If the repository is compromised, the user gets compromised.
6
Repository
User
GPG (offline key)
7
Some basic attacks...
8
Attack: Slow Retrieval
Goal: Silently prevent a client from obtaining an update
Attack: When a client tries to update, send
at
a
very
slow
rate
...
9
Attack: Endless Data
Goal: Crash the software updater or the hosting machine
Attack: When a client makes a request, just send data infinitely...
10
Problem: Endless Data
yum package manager:
- Used by RedHat, Fedora, and many other popular distributions
- Updates software on Linux machines
- Runs as root
- Would download an update first, writing it to disk
- Would download until the server stops sending
- Fills the disk, crashes and prints no error.
Can't even write the problem to the syslog!
11
Attack: Zip Bomb
Goal: Crash the software updater or the hosting machine
Attack: send a ZIP file designed to crash or render useless the program or system reading it
12
Attack: Duplicate Files in Zip
Goal: Insert an arbitrary file into a package
Mechanism: List a file multiple times (one malicious, one correct). The SU may check the wrong one.
Example: Google APK
13
Arbitrarily Modify Updates
Goal: Run arbitrary malicious code on the device
Attack: Attacker changes software package.
Provide it in place of normal update.
Solution: Use encryption -- Not a panacea
14
Attack: Reverting Packages
Goal: Downgrade a package to an earlier version (likely with known vulnerabilities)
Solution: Ensure version numbers increase (unless the user requested a downgrade)
15
Attack: Freeze Attack
Goal: Prevent updates forever
Mechanism: Replay the last known data forever
Solution: Have an uncompromised party sign files periodically
(This is implicit for an uncompromised repository using TLS)
Clients check that the signature is not older than a certain date.
16
Attack: Mix-and-Match Attack
Goal: Compromise users by causing them to install vulnerable packages
Mechanism: Repo signs snapshot of released packages
17
firefox
libc-secure
libc-vulnerable
x
snapshot
firefox
libc-secure
Attack: Extraneous
Dependencies
Goal: Cause vulnerable or incompatible packages to be installed.
Mechanism: Replace metadata with different dependency information
Example in the wild: npm (2016)
18
firefox
libc
sendmail 1.0
+
Attack: Depends on Everything
Goal: DOS / wasted bandwidth
Mechanism: Replace metadata with dependencies on all packages
All packages are downloaded
19
firefox
chrome
opera
+
safari
iexplore
+
+
+
Attack: Unsatisfiable Dependencies
Goal: Prevent package installation
Mechanism: Replace metadata with missing / conflicting dependencies
Stops package manager from performing installation
Can also be caused be a developer removing packages from a repo
20
Attack: Provides Everything
Goal: Cause a vulnerable package to be installed
Mechanism: Make a flawed package provide a virtual dependency for everything
Vulnerable package is installed by all parties
21
sendmail 1.0
firefox
iexplore
chrome
safari
opera
Attack: Compromise
Goal: Arbitrarily change packages
22
Enter TUF!
Be compromise-resilient!
Key management, etc.
Support, don’t judge!
23
TUF Goal: Compromise-Resilience
Goal: Minimize damage from attack
Minimize likelihood of successful attack
Contain impact of successful attacks
24
Explicit & Implicit Revocation
Expiration
Revocation
25
Responsibility Separation
26
timeliness
Root of trust
content
consistency
Minimize Risk
27
DAMAGE ~= PROBABILITY x IMPACT
High-impact role?
Low-impact role
Highly secure keys
Online keys?
Multi-signature Trust
28
{ "_type" : "root",
"compression_algorithms": [ ... ],
"consistent_snapshot":,
"version" : VERSION,
"expires" : EXPIRES,
"keys" : {
KEYID : KEY
, ... },
"roles" : {
ROLE : {
"keyids" : [ KEYID, ... ] ,
"threshold" : THRESHOLD }
, ... }
}
Roles in TUF
29
ε
timestamp
metadata
packages
online
keys
offline
keys
signs metadata for
target
package
signs root keys for
delegates packages to
root
snapshot
projects
A1
BC
A.pkg
C.gz
signs for packages
A.*
B.*, C.*
*.pkg
A2
B.tar
TUF Key Hierarchy
30
Root
Targets
Timestamp
Snapshot
David
TUF
Justin
TUF Metadata Verification
31
Root
Targets
Snapshot
Timestamp
David
Justin
TUF
Notary
Integrations
Beyond TUF
What is coming for TUF?
Things TUF does not protect against...
34