Software updates and TUF
TUF Love
Downloaded software can be compromised in several ways. You need a software update system that handles various attacks and provides end-to-end signing of the data. TUF can help.
Software in the modern world is connected, usually to the Internet, which means it is exposed to all kinds of attacks. The upside of connectivity is that people can use their phones to check email, websites, and the weather, as well as get driving directions with traffic data in real time. The downside is that users have never been more exposed to attack, and that exposure will only increase.
As problems in software are identified, the software is updated, and these updates are made available to customers who then deploy them (I hope). A typical Linux vendor fixes more than a thousand security issues a year, and other large vendors aren't far behind. They also ship updates to fix non-security related bugs, add new capabilities, and generally make better products.
Modern Building Blocks
Like interconnected systems, the value of software increases as it becomes more interconnected. Rather than reinvent the wheel and write your own HTTP(S) client, you simply call the best one offered by whatever language you're using. Developers have been doing this for decades through shared libraries, and it has become easier as vendors have added package management and as software languages have added repositories.
I have to admit, when I write Python or Ruby code, I rarely think about the magic that goes into statements like import foo
; things just work. However, this opens up potential security holes. What happens exactly when you import foo
? Well, it may cause an error if the package is not installed, or in some languages it may cause a software component to be downloaded directly from the Internet. If this action is not done securely, it could allow an attacker to insert malicious code into your system. But, wait, can an attacker really inject malicious software into software download on the fly? Yes.
To quote Wikipedia regarding FinFisher [1], for example, "The surveillance suite is installed after the target accepts installation of a fake update to commonly used software." Oh, and it also supports Linux (as well as Windows, Mac OS X, Android, iOS, BlackBerry, and Symbian). Additionally, in 2013, a number of revelations about spying capabilities and widespread usage were reported, which means the issue of compromised updates is no longer a theory but is actually happening. (Also see the "Internet Traffic Misdirection" box.)
Internet Traffic Misdirection
Renesys provides a number of routing-related products and services and is one of the few companies that not only tracks global Internet routing status but also publishes interesting results publicly. Renesys published a blog entry [9] in November 2013 detailing attacks they had seen in the wild that resulted in North American Internet traffic being rerouted through Belarus and, on another occasion, through Iceland. I'm pretty sure traffic sent within North America shouldn't cross the Atlantic Ocean.
Automatic Updates and Imports
To make matters worse, users really want automated updates and software imports; having things just work is extremely valuable. Having to babysit software updates across a few hundred systems instead of just running a single command line can be the difference between 15 minutes and one to two weeks of work. The good news is that most major vendors have gotten a lot better at releasing software that works with relative ease.
Automated processes are also much better for end users. For example, my parents have computers capable of automatically downloading and installing updates. This Christmas when I checked them, they were all actually up to date; in the past, they often had been missing security updates for weeks or months. The bad news is that many of these import and update systems do not use encryption or code signing to protect the software that you are downloading and running.
What You Need in an Update System
Most people agree that secure and reliable update and software deployment mechanisms are a good thing, but what exactly do you need in an update system for it to be secure? Please note that, for the purposes of this article, I'm going to equate software updates and software delivery as a single problem.
What do you need in an update system? At minimum, you need notification that updates exist, and you need a way to deliver these updates to the client securely. Chances are your system will need a pull mechanism on the client, because people are behind firewalls in most cases. You should also ensure that your updates can be delivered securely over untrusted and potentially hostile networks, like your local coffee shop's wireless LAN or the Internet. You should probably also shoot for allowing updates via servers or systems that you don't control (e.g., internal mirrors, web proxies, etc.), because some people will have to use them.
Generally speaking, the solution to moving data securely over untrusted networks and systems is cryptography. In this case, you're probably mostly concerned about authentication of the data; that is, you don't want it tampered with. You usually don't have to worry about the secrecy of updates, especially in the open source world, because people can just go to the vendor's FTP site and grab a copy of the update. That means you need end-to-end authentication of your data.
An update system should also handle compromises, accidents, and so forth. As I wrote this article, the OpenSSL website was compromised [2], not through any fault of their own. The hosting provider used poor passwords on the server hosting the virtual machine that ran www.openssl.org. Obviously, compromising this system would have allowed the attacker to modify or add new files to the /source/
directory; fortunately, they did not, also OpenSSL signs all their source code releases, using a key not stored on the server. The most practical solution to this class of problem is to use strong cryptographic signing of the source code or software that end users can easily verify. This means adding encryption key handling, which is not easy to get right. Fortunately, however, the TUF [3] guys have worked this all out (more on this later).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.