It was announced the release of the new version 1.0 of The Update Framework, better known as TUF and which is characterized by being a framework that provides a means to check and download updates safely.
The main objective of the project is to protect the client from typical attacks to repositories and infrastructure, including countering the promotion of fake updates by attackers created after gaining access to keys to generate digital signatures or compromise the repository.
About TUF
The project develops a number of libraries, file formats, and utilities that can be easily integrated into existing application update systems, providing protection in the event of key compromise by software developers. To use TUF, it is enough to add the necessary metadata to the repository and integrate the procedures provided in TUF to load and verify files in the client code.
The TUF framework takes over the task of checking for an update, downloading theto update and verify its integrity. The update installation system does not directly intersect with additional metadata, which is verified and uploaded by TUF.
For integration with applications and update installation systems, a low-level API for accessing metadata and implementation of a high-level client API ngclient, ready for application integration, are provided.
Among the attacks that TUF can counter they find the version substitution under the guise of updates to block fixes to vulnerabilities in the software or revert the user to a previous vulnerable version, as well as the promotion of malicious updates correctly signed using a compromised key, performing DoS attacks on clients, such as filling the disk with an endless update.
Protection against infrastructure compromise of the software vendor is achieved by maintaining separate verifiable records of the state of the repository or application.
The TUF-verified metadata includes key information that can be trusted, cryptographic hashes to assess file integrity, additional digital signatures to verify metadata, version number information, and record lifetime information. The keys used for verification have a limited lifetime and require constant updating to protect against signing with old keys.
Reducing the risk of compromising the entire system is achieved through the use of a split trust model, in which each party is limited only to the area for which it is directly responsible.
The system uses a hierarchy of roles with their own keys, for example, the root role signs the keys for the roles responsible for the metadata in the repository, data about the time of formation of updates and target builds, in turn, the role responsible for the builds signs the roles associated with the certification of the delivered files.
To protect against key compromise, uses a mechanism for fast key revocation and replacement. Each individual key concentrates only the minimum necessary powers, and notarization operations require the use of several keys (leakage of a single key does not allow an immediate attack on the client, and to compromise the entire system, it is necessary to capture the keys of all Participants).
The client can only accept files created later than previously received files, and data is downloaded only according to the size specified in the certified metadata.
The published version of TUF 1.0.0 offers a completely rewritten reference implementation and stabilized version of the TUF specification that you can use as an out-of-the-box example when creating your own implementations or integrating into your projects.
The new implementation contains significantly less code (1400 lines instead of 4700), it is easier to maintain and can be easily extended, for example, if you need to add support for specific network stacks, storage systems, or encryption algorithms.
The project is developed under the auspices of the Linux Foundation and is used to improve the security of update delivery in projects such as Docker, Fuchsia, Automotive Grade Linux, Bottlerocket, and PyPI (the inclusion of download verification and metadata in PyPI is expected soon).
Finally, if you are interested in being able to know a little more about it, you can consult the details In the following link.