-
Notifications
You must be signed in to change notification settings - Fork 0
Home
To leverage the security mechanisms of the The Update Framework (TUF) to provide secure software updates for legacy applications.
Software updaters generally lack effective security mechanisms to assure the correctness and recency of the updated file. They typically use a cryptographic signature of the downloaded file and verify that a trusted key made the signature. This approach presents various security flaws: Rollback attack, where the attacker submits old files as latest updates Endless data attack, where the attacker issues an infinite stream of data when responding to an update request Malicious mirrors preventing updates, where the attacker takes control of a mirror and blocks all update requests. The Update Framework (TUF) provides security against the attacks enumerated above (and many more) by implementing mechanisms for various security checks. Examples of security checks are: timestamp check to prevent the download of outdated files, periodic mirror content check to make sure that mirrors contacted for updates are legitimate, and release check to verify metadata of the system are up to date. With TUF, software updaters do not interact with mirrors but instead rely on the features of TUF for secure file update. To integrate TUF in a software updaters, developers need to modify their current distutil setup. This may be difficult for legacy applications, where the setup is not available. In this project, we present an approach to automatically enable TUF for legacy software updaters, without the need to modify the application code.
- BugBounty - Can be used to report bugs to the developer.