130 likes | 261 Views
TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering. Introduction. You need to update software Software update systems are widely insecure [Bellissimo HotSec 06, Cappos CCS 08, Samuel CCS 10] You don’t want to think about security.
E N D
TUF: Secure Software Updates Justin CapposNYU Poly Computer Science and Engineering
Introduction You need to update software Software update systems are widely insecure [Bellissimo HotSec 06, Cappos CCS 08, Samuel CCS 10] You don’t want to think about security
Is there a practical risk? Trivial to become an official mirror [Cappos 08] Often can even target specific nodes [Samuel login 09] Example attack that is fixed in modern package managers due to our work Find existing exploit code for an old version of a package that isn't installed Change the package metadata so the old version of the package is installed with any update After the computer does an update, remotely exploit it A knowledgeable attacker can root any system on PlanetLab today!
But security is simple, right? Just use HTTPS Common errors in how certificates are handled Online data becomes single point of weakness ... and add signatures to the software updates Attackers can perform a replay attack ... and add version numbers to the software updates Attackers can launch freeze attacks
But security is simple, right? (cont.) ...... and add a quorum of keys signature system for the root of trust, add signing by different compartmentalized key types, use online keys only to provide freeze attack protection and bound their trust window, etc. [Thandy software updater for Tor] We still found 8 design or implementation flaws The median Windows machine has ~24 updaters [Secunia] GENI -> MITM Having each developer build their own "secure" software update system will fail
Our approach for legacy systems Intercept traffic
Project roadmap Build an artifact early, add security mechanisms gradually Portability of the client library is key Work with Raven, Tor, PrimoGENI, PlanetLab, nmap, etc. Many pairs of eyes uncover bugs more easily Focus on supporting the developer / repository interface(s) used by GENI devels
TUF Conclusion Software update systems are extremely vulnerable Building a secure software update system is very hard We have the solution! We will: Securing legacy systems by exploiting their insecurity Working with different communities to ensure quality
Outline • Research Methodology • Seattle Testbed • CheckAPI • Shims • Lind • The Update Framework (TUF) UPPIR
Decorated Page • Bullet point • Subpoint • More bullet points
Subtle page Heading • Bullet points…