TUF: Secure Software Updates in Python

Description

TUF: Secure Software Updates in Python

Presented by Geremy Condra

From an attacker's point of view there are few entry points with as much to offer as a vulnerable software updater, yet history tells us that such vulnerabilities are common. In this talk we'll demonstrate a number of attacks, explain how common approaches fail to defend against them, and demonstrate a pure Python library (TUF) that provides both robust protection and extreme ease of use.

Abstract

Vulnerabilities in software update systems expose users to huge range of potential security risks, including:

  • Freeze attacks,
  • Mix-and-match attacks,
  • Rollback attacks, and
  • Endless data attacks

In the first part of this talk, we'll demonstrate each of these against real- world software updaters and explain how commonly used countermeasures fail in application. We'll then move on to the second part of the talk, demonstrating TUF, its internals, and the mechanisms it uses to additionally defend against key compromise. Finally, we'll demonstrate how easy it is to integrate TUF into your application and its lifecycle.