When the going gets tough,Get TUF going!

Riyaz Faizullabhoy - @riyazdf

Motivation

What is TUF?

Using TUF

Hermetic Builds

Where does software come from?

$> _

$>curl | sudo bash

$>apt-get install

• authenticity

$>apt-get install

• authenticity• integrity

$>apt-get install really-old-foo

$>#not after 2007 $>apt-get install really-old-foo

• authenticity• integrity• freshness

$> $pkg-manager install foo

• authenticity (TLS)• integrity (TLS)• freshness

• authenticity (TLS - transport only)• integrity (TLS - transport only)• freshness

foo

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU oWuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w oSp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7 uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh o19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU oWuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w oSp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7 uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh o19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU oWuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w oSp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7 uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh o19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR -----END PGP SIGNATURE-----

$>apt-get install really-old-foo

Freeze and Rollback Attacks?

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU oWuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w oSp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7 uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh o19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR -----END PGP SIGNATURE-----

Survivable Key Compromise?

• authenticity • integrity• freshness• survivable key compromise

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU oWuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w oSp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7 uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh o19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR -----END PGP SIGNATURE-----

Trust Thresholding?

• authenticity • integrity• freshness• survivable key compromise• thresholding

• authenticity • integrity• freshness• survivable key compromise• thresholding

• authenticity • integrity• freshness• survivable key compromise• thresholding• ease of use

Get TUF(The Update Framework)

•Diplomat: Using Delegations to Protect Community Repositories •Survivable Key Compromise in Software Update Systems •A Look in the Mirror: Attacks on Package Managers •Package Management Security

TUF repository

TUF repository packages

root timestamp snapshot targets delegation

Root:

Timestamp:

Snapshot:

Targets:

Expiry: ...

Root Metadata

Root:

Timestamp:

Snapshot:

Targets:

Expiry: ...

Root Metadata

USA

Switzerland

China

Offline for security

• Backup in bank vault

• Use signing hardware

TUF repository packages

?

java : { hashes }openssl : { hashes }…

Expiry: ...

Targets Metadata

Keys: { Alice: Bob:}

Expiry: ...

Targets Metadata

A

B

java:openssl:

[Alice][Bob]

Delegation Metadata

Ajava-8-jre : { hashes }java-7-jre : { hashes }...Expiry: ...

Bopenssl-1.0.1t : { hashes }openssl-1.0.2h : { hashes }...Expiry: ...

java-8-jre java-7-jre

openssl-1.0.1t openssl-1.0.2h

A

B

openssl-1.0.1t openssl-1.0.2h

java java-8-jdkjava-7-jdk

java-8-jrejava-7-jre

apt

openssl

A

B

C

A

jdk

jre

openssl-1.0.1t openssl-1.0.2h

java java-8-jdkjava-7-jdk

java-8-jrejava-7-jre

apt

openssl

A

B

C

A

jdk

jre

E

D

• authenticity • integrity• freshness• survivable key compromise• thresholding

• authenticity • integrity• freshness• survivable key compromise• thresholding

• authenticity • integrity• freshness• survivable key compromise• thresholding

Root : { hashes }Targets : { hashes }

Alice : { hashes }Bob : { hashes }…

Expiry: ...

Snapshot Metadata

• authenticity • integrity• freshness• survivable key compromise• thresholding

Snapshot : { hashes }

…

Expiry: 24 hours from now

Timestamp Metadata

openssl-1.0.1t openssl-1.0.2h

java java-8-jdkjava-7-jdk

java-8-jrejava-7-jre

apt

openssl

A

B

C

A

jdk

jre

E

D X

• authenticity • integrity• freshness• survivable key compromise• thresholding

#

# #

#

#

#

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Metadata Lifetime

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Keeping Freshness

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Snapshot Expired!

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Sign a new Snapshot

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Sign a new Timestamp to point the Snapshot

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Want to publish something?

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Sign the hash into a new Targets or Delegation file

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Sign a new Snapshot that references this Targets file

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Sign a new Timestamp that references the new Snapshot

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Situation normal

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Oh no, I think my Snapshot key was compromised!

t

Compromise is “when” not “if”

Root: Timestamp: Snapshot: Targets:

Root Metadata

Root: Timestamp: Snapshot: Targets:

Root Metadata

Snapshot Metadata

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Before recovery

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Create and sign the new Snapshot key into Root

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Sign a new Snapshot with the new key

t

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Sign new Timestamp to reference new Snapshot

t

• authenticity • integrity• freshness• survivable key compromise• thresholding• ease of use

coming soon!

GPG TUF

• …• auditability

?

How can we start using TUF?

Demo

• ease of use?

Demo

• authenticity • integrity• freshness• survivable key compromise• thresholding• ease of use

github.com/docker/notary

$> export DOCKER_CONTENT_TRUST=1

alpine

latest: {hash} edge: {hash} 2.6: {hash} 3.3: {hash} 3.4: {hash}

alpine

$> $pkg-manager install openssl

Design Goals: - root of trust in package manager maintainers - with thresholding

- freshness guarantees

- signed index of all packages

- signed package targets by package maintainers - name to hash resolution - with thresholding

package-manager maintainer(s)

freshness

package-manager maintainer(s)

signs indexfreshness

package-manager maintainer(s)

signs indexfreshness

maintainer keys

package-manager maintainer(s)

signs indexfreshness

maintainer keys

openssl: {hash}

package-manager maintainer(s)

Future work: hermetic builds

Learn More• Read the spec:

• github.com/theupdateframework/tuf/ (docs/tuf-spec.txt)

• Look at Notary: • github.com/docker/notary

• Read the Docker Content Trust docs:• docs.docker.com/engine/security/trust/content_trust/

THANK YOU

Root:

Timestamp:

Snapshot:

Targets:

Expiry: ...

Root Metadata

Appendix: root key rotations

Root:

Timestamp:

Snapshot:

Targets:

Expiry: ...

Root Metadata

Appendix: root key rotations

Root:

Timestamp:

Snapshot:

Targets:

newRoot:

Timestamp:

Snapshot:

Targets:

old

Appendix: root key rotations

Root:

Timestamp:

Snapshot:

Targets:

newRoot:

Timestamp:

Snapshot:

Targets:

oldXAppendix: root key rotations

Appendix: DCT pull flow

Appendix: DCT pull flow

uses manifest/layer merkle tree