It’s ironic that the mechanism used to deliver security updates to installed devices can itself make an entire fleet of devices vulnerable to attack. The TUF framework provides the best available means to protect software updates. Here we outline what TUF is and its basic principles of operation.
Cyber-threats to embedded devices can emerge at any time during the life of a product, so delivering and installing patches or updates is an essential method for maintaining the security of a fleet of devices after release to the end user. But the protection provided by an update, which addresses a new vulnerability or fixes a bug is worthless if the mechanism for delivering the update is not itself secure.
In fact, an insecure update mechanism creates a dangerous opening for cyber-attackers, who can potentially use it to introduce malware into a device, or to lock a device in an unprotected state, leaving it open to attack.
This problem was the inspiration for the creation of an open-source software (OSS) update security system, The Update Framework (TUF), by University of Washington researchers in 2009. Now part of the Cloud Native Computing Foundation, TUF has become the computing industry’s preferred method for assuring update security. It is fully integrated into the FoundriesFactory platform. Here we explain why.
The problem that TUF solves
To obtain and install an update, a device in the field has to:
- Know when an update is available for download
- Download the update
- Apply the changes introduced by the update
TUF performs the first two of these steps; the device’s software update application – not TUF – implements the third.
The benefit of incorporating TUF into a fleet’s update mechanism is that it guards against most attacks which can occur during or after an update, such as when:
- An attacker keeps giving a device the same file, so it never realizes an updated version is available
- An attacker provides an older, insecure version of a file that a device already has, and tricks it into thinking the older version is in fact newer. The device downloads and installs the older file as though it were an update rather than a rollback.
- An attacker provides a newer version of a file that a device already has, but not the newest one. The device installs it in the (correct) belief that it is an update, but still retains vulnerabilities that may be exploitable by the attacker.
- An attacker compromises the key used to sign an update file. The device downloads a file that appears to be properly signed but is malicious.
These are common threats to updates and update systems, but there are many more. TUF provides protection against them.
How TUF keeps software update files secure
TUF’s name suggests that it is a ‘framework’, a term which would normally imply a set of libraries and protocols for implementing a function. In fact, the main basis of TUF is a set of rules or guidelines for key management and file signature, and protocols for implementing, logging and attesting their execution.
Arguably the most important element of this ‘framework’ is the practice of using multiple root keys, so that even if one root key is compromised, the system can continue to maintain security because of the high probability that the remaining root keys remain secure. Supporting this approach is the concept of key delegation, so that the root keys do not have to be used often. This allows the device OEM to quarantine each root key in a different and highly protected location without suffering frequent inconvenience. In fact, the more inconvenient the key storage is, the harder it is for an attacker to compromise a key.
The root keys are used to create delegated keys which are used in regular security operations, and which can be periodically, or on demand, replaced or superseded by a fresh key delegation.
So instead of a single key validating an update, multiple independent keys must approve the process. This mirrors the way that high-security financial transactions require multiple approvals, so that no single point of failure can compromise the system.
Complex security operations under the hood
So how do TUF’s processes protect software upgrade files?
TUF works by adding verifiable records about the state of a repository or application. By adding metadata, TUF creates a record that can be checked to verify the authenticity of an update file.
In practice, TUF identifies the updates, downloads them, and checks them against the metadata that it also downloads from the repository. If the downloaded target files are trustworthy, TUF hands them over to the device’s software update application for installation. In the absence of correct authentication, based on signatures ultimately protected by the integrity of the root keys, TUF rejects the update file, and prevents it from being installed.
TUF also provides a function called role delegation, which enables the product owner to designate individuals (such as those responsible within a development team for software maintenance) as authorized to perform a critical function, such as releasing an update. This designation is itself protected by signatures created by delegation keys that are derived from the root keys.
FoundriesFactory platform: TUF security in practice
The FoundriesFactory platform leverages TUF to address the critical security requirements of updating connected embedded devices. TUF provides a robust framework for enhancing the security of software updates, giving you greater confidence in the integrity of your devices. How does this translate to real-world benefits?
- Enhanced Security Across Diverse Fleets: Managing updates for a diverse range of devices can be complex. TUF helps standardize security practices, promoting consistent protection across your entire fleet, regardless of hardware or software variations.
- Granular Control Over Updates: Need to deploy updates to specific device groups? TUF's role delegation and targeting features give you fine-grained control, allowing for staged rollouts, A/B testing, and targeted patching.
- Comprehensive Audit Trails: Security best practices emphasize accountability. TUF provides detailed audit trails, allowing you to track every update, identify potential issues, and maintain a strong security posture. This transparency is essential for compliance and incident response.
- Faster Response to Vulnerabilities: In the constantly evolving security landscape, a swift response is crucial. TUF enables quick and efficient patching of vulnerabilities, reducing the window of exposure for your devices.
A key aspect of FoundriesFactory is the concept of immutable Targets. A Target represents a complete snapshot of the software intended for a device. This snapshot provides uniformity across your entire fleet ensuring total awareness of what software is running on every device. This is essential for predictable and reliable updates as you are assured that everything is uniform.
TUF plays a vital role in supporting this immutability. By cryptographically signing the Target's metadata, TUF makes it significantly more difficult for unauthorized modifications to go undetected. Before installing an update, devices use TUF to verify the signatures on the metadata, confirming that the Target is consistent with its intended state. This process helps protect against rollback attacks and the installation of malicious updates, increasing the likelihood that devices are running the intended software. To learn more about Targets, see our blog post: What is a Target?
This integration of TUF with immutable Targets strengthens the security of updates. The verification process helps mitigate various attacks, even if parts of your update infrastructure are compromised. TUF's multi-key security and delegation features further enhance this protection by distributing trust and limiting the impact of a potential single key compromise. For more information on these advanced concepts, refer to the FoundriesFactory documentation: Offline Factory TUF Keys
FoundriesFactory, powered by TUF, elevates software updates beyond simple file transfers. Updates are treated as critical security events, requiring multiple layers of authentication and verification. This framework helps device manufacturers and developers maintain device integrity throughout the product lifecycle, from factory to field, striving to ensure your devices are secure and up-to-date. Learn how FoundriesFactory can improve your update process: FoundriesFactory.