1 / 11

TUF: Securing Software Update Systems on GENI

Learn about the vulnerabilities in software update systems and how to build secure systems with client and repository libraries. Follow a three-year plan for planning, prototyping, deployment, and legacy system security.

pbellanger
Download Presentation

TUF: Securing Software Update Systems on GENI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington

  2. Introduction software update systems are ubiquitous [Secunia 09] • Package managers (YUM, APT, YaST) • Application updaters (Firefox, Skype, Tor) • Language library managers (easy-install, Ruby GEMS, etc.) Software update systems obtain updates from a repository software update systems are widely insecure [Bellissimo HotSec 06, Cappos CCS 08] We want to fix this.

  3. Is there a practical risk? (slide content omitted)

  4. But security is simple, right? Just use HTTPS     Common errors in how certificates are handled   Do you trust all CAs?     Online data becomes single point of weakness ... and add signatures to the software updates     Attackers can perform a replay attack ... and add version numbers to the software updates   Attackers can launch freeze attacks

  5. But security is simple, right? (cont.) ...... and add a quorum of keys signature system for the root of trust, add signing by different compartmentalized key types, use online keys only to provide freeze attack protection and bound their trust window, etc.   [Thandy software updater for Tor]     We still found 8 design / implementation flaws Having each developer build their own "secure" software update system will fail

  6. Our approach for new systems Build a client library that provides security for software update systems Build a repository library that correctly signs developer updates

  7. Year 1: Planning and Prototyping Overview write-up (complete) Client lib design document (complete) Repository lib design document (complete) Client & repository library prototypes (03/28/10) Developer push & example software updater(05/30/10) Trust delegation design (09/30/10)

  8. Year 2: Live Deployments Improve security mechanisms Ensure the client library is portable Work with live deployments Raven / Stork -- John Hartman and Scott Baker ?Tor / Thandy? -- Roger Dingledine and Nick Mathewson ??? Focus on supporting the developer / repository interface(s) used on GENI

  9. Year 3: Legacy Systems Must retain functionality of existing system Intercept traffic from insecure software update systems to transparently force it through the client library Provide feedback to the user / system administrator

  10. Conclusion Software update systems are extremely vulnerable Building a secure software update system is very hard We propose to:     Build a library for securing software update systems Use live deployments to ensure quality     Secure legacy systems by exploiting their insecurity http://www.updateframework.com http://groups.geni.net/geni/wiki/SecureUpdates

  11. Why focus on this threat? Existing implementations are insecure [Bellissimo 06, Cappos 08] Software update systems run as root Traditional defenses don't protect against attacks Ubiquitous An attack often appears benign  Attack code can be easily reused [EvilGrade] Trends show server attacks are on the rise [CERT]

More Related