Insecure updates are the rule, not the exception
The Update Framework
As with most things in open source, you don't have to reinvent the wheel. The Update Framework (TUF) [5] is available under an open source license (but not one I recognize) and is written mostly in Python, so it's pretty understandable. Even better is that all the above security issues have been taken into account for the system design and implementation. It even addresses possible problems like key compromise.
One basic thing to keep in mind about security, especially for software updates, is that you need to make your system as secure as you can, but you also need to make it possible to return to a known good state (i.e., you have removed all the compromised packages and so on from your update infrastructure).
TUF places all of the heavy lifting on the server and end client. Thus, the intermediary mirror systems don't even need to know about it, which in turn makes deployment possible (trying to get a major mirror site to install some software so they can securely serve updates is a battle you will lose). Unfortunately, TUF isn't perfect – the only client is written in Python, so integrating it with non-Python software or on systems that don't natively support Python (e.g., Windows) will be difficult, to say the least. For more information, an excellent lightning talk is available on YouTube [6] that covers all the basics of TUF using PyPI.
Conclusion
You can certainly use TUF to secure updates, but, unfortunately, deploying TUF is nontrivial. You're going to need at least two servers (in case one fails) and some keys that will require management. That means it's probably not going to be used; in fact, I'm not aware of any software that uses TUF for updates. So, unless people start demanding that organizations and vendors, like WordPress, Drupal, Joomla, RubyGems, PyPI, Hackage, CPAN, and so on, start providing secure updates for all the code they make available, it isn't going to happen.
Kurt Seifried
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
Infos
- HTP Zine 5: http://straylig.ht/zines/HTP5/0x02_Linode.txt
- Social Media Widget remote file inclusion: http://seclists.org/oss-sec/2013/q2/83
- OpenPGP Card: http://en.wikipedia.org/wiki/OpenPGP_card
- Kernel Concepts Security/Smartcards: http://shop.kernelconcepts.de/index.php?cPath=1_26
- The Update Framework: https://www.updateframework.com/
- TUF lightning talk: https://www.youtube.com/watch?v=2sx1lS6cT3g
« Previous 1 2
Buy this article as PDF
(incl. VAT)