TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering
If you can't read please download the document
description
TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering. Introduction. You need to update software Software update systems are widely insecure [Bellissimo HotSec 06, Cappos CCS 08, Samuel CCS 10] You don’t want to think about security. - PowerPoint PPT Presentation
Transcript of TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering
Credentials & Capabilities
TUF: Secure Software Updates
Justin Cappos NYU PolyComputer Science and Engineering
IntroductionYou need to update software
Software update systems are widely insecure [Bellissimo HotSec 06, Cappos CCS 08, Samuel CCS 10]
You dont want to think about securityIs there a practical risk?Trivial to become an official mirror [Cappos 08]
Often can even target specific nodes [Samuel login 09]
Example attack that is fixed in modern package managers due to our work
Find existing exploit code for an old version of a package that isn't installed
Change the package metadata so the old version of the package is installed with any update
After the computer does an update, remotely exploit it
A knowledgeable attacker can root any system on PlanetLab today!But security is simple, right?Just use HTTPS Common errors in how certificates are handled Online data becomes single point of weakness ... and add signatures to the software updates Attackers can perform a replay attack... and add version numbers to the software updates
Attackers can launch freeze attacksBut security is simple, right? (cont.)...... and add a quorum of keys signature system for the root of trust, add signing by different compartmentalized key types, use online keys only to provide freeze attack protection and bound their trust window, etc. [Thandy software updater for Tor]
We still found 8 design or implementation flaws
The median Windows machine has ~24 updaters [Secunia]
GENI -> MITM
Having each developer build their own "secure" software update system will failOur approach for new systems
Our approach for legacy systemsIntercept traffic
Project roadmapBuild an artifact early, add security mechanisms graduallyPortability of the client library is keyWork with Raven, Tor, PrimoGENI, PlanetLab, nmap, etc. Many pairs of eyes uncover bugs more easily
Focus on supporting the developer / repository interface(s) used by GENI develsTUF ConclusionSoftware update systems are extremely vulnerable
Building a secure software update system is very hard
We have the solution!
We will:
Securing legacy systems by exploiting their insecurity
Working with different communities to ensure quality
Research Methodology
Seattle TestbedCheckAPIShimsLind
The Update Framework (TUF)UPPIR
Outline
Bullet pointSubpoint
More bullet points
Decorated PageSubtle pageHeadingBullet points
