Software updates and TUF
TUF Love
Downloaded software can be compromised in several ways. You need a software update system that handles various attacks and provides end-to-end signing of the data. TUF can help.
Software in the modern world is connected, usually to the Internet, which means it is exposed to all kinds of attacks. The upside of connectivity is that people can use their phones to check email, websites, and the weather, as well as get driving directions with traffic data in real time. The downside is that users have never been more exposed to attack, and that exposure will only increase.
As problems in software are identified, the software is updated, and these updates are made available to customers who then deploy them (I hope). A typical Linux vendor fixes more than a thousand security issues a year, and other large vendors aren't far behind. They also ship updates to fix non-security related bugs, add new capabilities, and generally make better products.
Modern Building Blocks
Like interconnected systems, the value of software increases as it becomes more interconnected. Rather than reinvent the wheel and write your own HTTP(S) client, you simply call the best one offered by whatever language you're using. Developers have been doing this for decades through shared libraries, and it has become easier as vendors have added package management and as software languages have added repositories.
I have to admit, when I write Python or Ruby code, I rarely think about the magic that goes into statements like import foo
; things just work. However, this opens up potential security holes. What happens exactly when you import foo
? Well, it may cause an error if the package is not installed, or in some languages it may cause a software component to be downloaded directly from the Internet. If this action is not done securely, it could allow an attacker to insert malicious code into your system. But, wait, can an attacker really inject malicious software into software download on the fly? Yes.
To quote Wikipedia regarding FinFisher [1], for example, "The surveillance suite is installed after the target accepts installation of a fake update to commonly used software." Oh, and it also supports Linux (as well as Windows, Mac OS X, Android, iOS, BlackBerry, and Symbian). Additionally, in 2013, a number of revelations about spying capabilities and widespread usage were reported, which means the issue of compromised updates is no longer a theory but is actually happening. (Also see the "Internet Traffic Misdirection" box.)
Internet Traffic Misdirection
Renesys provides a number of routing-related products and services and is one of the few companies that not only tracks global Internet routing status but also publishes interesting results publicly. Renesys published a blog entry [9] in November 2013 detailing attacks they had seen in the wild that resulted in North American Internet traffic being rerouted through Belarus and, on another occasion, through Iceland. I'm pretty sure traffic sent within North America shouldn't cross the Atlantic Ocean.
Automatic Updates and Imports
To make matters worse, users really want automated updates and software imports; having things just work is extremely valuable. Having to babysit software updates across a few hundred systems instead of just running a single command line can be the difference between 15 minutes and one to two weeks of work. The good news is that most major vendors have gotten a lot better at releasing software that works with relative ease.
Automated processes are also much better for end users. For example, my parents have computers capable of automatically downloading and installing updates. This Christmas when I checked them, they were all actually up to date; in the past, they often had been missing security updates for weeks or months. The bad news is that many of these import and update systems do not use encryption or code signing to protect the software that you are downloading and running.
What You Need in an Update System
Most people agree that secure and reliable update and software deployment mechanisms are a good thing, but what exactly do you need in an update system for it to be secure? Please note that, for the purposes of this article, I'm going to equate software updates and software delivery as a single problem.
What do you need in an update system? At minimum, you need notification that updates exist, and you need a way to deliver these updates to the client securely. Chances are your system will need a pull mechanism on the client, because people are behind firewalls in most cases. You should also ensure that your updates can be delivered securely over untrusted and potentially hostile networks, like your local coffee shop's wireless LAN or the Internet. You should probably also shoot for allowing updates via servers or systems that you don't control (e.g., internal mirrors, web proxies, etc.), because some people will have to use them.
Generally speaking, the solution to moving data securely over untrusted networks and systems is cryptography. In this case, you're probably mostly concerned about authentication of the data; that is, you don't want it tampered with. You usually don't have to worry about the secrecy of updates, especially in the open source world, because people can just go to the vendor's FTP site and grab a copy of the update. That means you need end-to-end authentication of your data.
An update system should also handle compromises, accidents, and so forth. As I wrote this article, the OpenSSL website was compromised [2], not through any fault of their own. The hosting provider used poor passwords on the server hosting the virtual machine that ran www.openssl.org. Obviously, compromising this system would have allowed the attacker to modify or add new files to the /source/
directory; fortunately, they did not, also OpenSSL signs all their source code releases, using a key not stored on the server. The most practical solution to this class of problem is to use strong cryptographic signing of the source code or software that end users can easily verify. This means adding encryption key handling, which is not easy to get right. Fortunately, however, the TUF [3] guys have worked this all out (more on this later).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4
-
Fedora Unleashes Atomic Desktops
Fedora has combined its solid distribution with rpm-ostree system to make it possible to deliver a new family of Fedora spins, called Fedora Atomic Desktops.
-
Bootloader Vulnerability Affects Nearly All Linux Distributions
The developers of shim have released a version to fix numerous security flaws, including one that could enable remote control execution of malicious code under certain circumstances.