Justin Samuel
ABSTRACT
Today's software update systems have little or no defense against key compromise. As a result, key compromises have put millions of software update clients at risk. Here we identify three classes of information whose authenticity and integrity are critical for secure software updates. Analyzing existing software update systems with our framework, we find their ability to communicate this information securely in the event of a key compromise to be weak or nonexistent. We also find that the security problems in current software update systems are compounded by inadequate trust revocation mechanisms. We identify core security principles that allow software update systems to survive key compromise. Using these ideas, we design and implement TUF, a software update framework that increases resilience to key compromise.
- ]]M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. Advances in Cryptology - ASIACRYPT 2000, pages 116{129, 2000. Google Scholar
Digital Library
- ]]Francisco Amato. ISR-evilgrade. http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt.Google Scholar
- ]]Vulnerability note VU#944335 Apache web servers fail to handle chunks with a negative size, Jun 2002. http://www.kb.cert.org/vuls/id/944335.Google Scholar
- ]]APT HOWTO. http://www.debian.org/doc/manuals/apt-howto/.Google Scholar
- ]]A. Barth, A.P. Felt, P. Saxena, and A. Boodman. Protecting browsers from extension vulnerabilities. In Proc. of the 17th Network and Distributed System Security Symposium (NDSS 2010), 2010.Google Scholar
- ]]Mihir Bellare and Gregory Neven. Multi-signatures in the plain public-key model and a general forking lemma. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 390{399, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- ]]Anthony Bellissimo, John Burgess, and Kevin Fu. Secure software updates: Disappointments and new challenges. In 1st USENIX Workshop on Hot Topics in Security, pages 37--43, Vancouver, Canada, Jul 2006. Google ScholarDigital Library
- ]]D. Boneh, X. Ding, G. Tsudik, and C.M. Wong. A method for fast revocation of public key certificates and security capabilities. In Proceedings of the 10th conference on USENIX Security Symposium-Volume 10, page 22. USENIX Association, 2001. Google ScholarDigital Library
- ]]Dan Boneh and David Brumley. Remote timing attacks are practical. In Proc. 12th USENIX Security Symposium, Washington, DC, Aug 2003. Google ScholarDigital Library
- ]]Canonical JSON - OLPC. http://wiki.laptop.org/go/Canonical_JSON.Google Scholar
- ]]Justin Cappos, Justin Samuel, Scott Baker, and John Hartman. A look in the mirror: Attacks on package managers. In Proc. 15th ACM Conference on Computer and Communications Security, pages 565--574, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- ]]CERT/CC. CERT advisory CA-2000-09 flaw in PGP 5.0 key generation, May 2000. http://www.cert.org/advisories/CA-2000-09.html.Google Scholar
- ]]Bug 476766 - add China Internet Network Information Center (CNNIC) CA root certificate. https://bugzilla.mozilla.org/show_bug.cgi?id=476766.Google Scholar
- ]]Open client update protocol. http://omaha.googlecode.com/svn/wiki/cup.html.Google Scholar
- ]]Microsoft Corporation. Microsoft security bulletin MS01-017, Mar 2001. http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx.Google Scholar
- ]]CPAN. http://www.cpan.org/.Google Scholar
- ]]Internet x.509 public key infrastructure certificate and certificate revocation list (CRL) profile. http://tools.ietf.org/html/rfc5280.Google Scholar
- ]]Y. Desmedt. Society and group oriented cryptography: A new concept. In Advances in Cryptology - Crypto 1987, pages 120--127. Springer, 1987. Google ScholarDigital Library
- ]]Vulnerability note VU#800113 multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113.Google Scholar
- ]]EasyInstall - the PEAK developers' center. http: //peak.telecommunity.com/DevCenter/EasyInstall.Google Scholar
- ]]New signing key. https://fedoraproject.org/wiki/New_signing_key.Google Scholar
- ]]Firefox update. http://www.mozilla.com/en-US/firefox/update/.Google Scholar
- ]]Paul W. Frields. Infrastructure report, 2008-08--22 UTC 1200, Aug 2008. https://www.redhat.com/archives/fedora- announce-list/2008-August/msg00012.html.Google Scholar
- ]]Omaha (google update). http://code.google.com/p/omaha/.Google Scholar
- ]]Update Engine and security: How to use Update Engine in a secure manner. http://code.google.com/p/update- engine/wiki/UpdateEngineAndSecurity.Google Scholar
- ]]Microsoft security bulletin MS08-006 - important vulnerability in internet information services could allow remote code execution (942830), Feb 2008. http://www.microsoft.com/technet/security/ bulletin/ms08-006.mspx.Google Scholar
- ]]M. Just and P.C. van Oorschot. Addressing the problem of undetected signature key compromise. In Proceedings of the Network and Distributed System Security Symposium, NDSS. Citeseer, 1999.Google Scholar
- ]]Werner Koch. {Announce} GnuPG's ElGamal signing keys compromised, Nov 2003. http://lists.gnupg.org/pipermail/gnupg- announce/2003q4/000160.html.Google Scholar
- ]]M. Mambo, K. Usuda, and E. Okamoto. Proxy signatures: Delegation of the power to sign messages. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 79(9):1338--1354, 1996.Google Scholar
- ]]Moxie Marlinspike. Defeating OCSP with the number 3, 2009. http: //www.thoughtcrime.org/papers/ocsp-attack.pdf.Google Scholar
- ]]Moxie Marlinspike. Null-prefix attacks against SSL certificates, 2009. http://www.thoughtcrime.org/papers/null- prefix-attacks.pdf.Google Scholar
- ]]Nick Mathewson. Thandy: Automatic updates for Tor bundles. https://git.torproject.org/checkout/ thandy/specs/thandy-spec.txt.Google Scholar
- ]]Nick Mathewson. Thandy: Secure update for Tor - Google open source blog. http://google-opensource.blogspot.com/2009/03/ thandy-secure-update-for-tor.html.Google Scholar
- ]]Extension versioning, update and compatibility: Securing updates. https://developer.mozilla.org/ en/Extension_Versioning%2c_Update_and_ Compatibility#Securing_Updates.Google Scholar
- ]]Microsoft SSL library remote compromise vulnerability (ms04-011, exploit), Apr 2004. http://www.securiteam.com/windowsntfocus/5CP0L0KCKO.html.Google Scholar
- ]]Greg Miller. Revving software with Update Engine, Sep 2008. http://googlemac.blogspot.com/2008/09/revving-software-with-update-engine.html.Google Scholar
- ]]Mirror manager security risks. http://fedoraproject.org/wiki/Mirror_manager_ security_risks.Google Scholar
- ]]Mozilla Labs Jetpack j Exploring new ways to extend and personalize the Web. https://jetpack.mozillalabs.com/.Google Scholar
- ]]M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. RFC2560: X. 509 Internet public key infrastructure online certificate status protocol-OCSP. Internet RFCs, 1999. Google ScholarDigital Library
- ]]M. Naor and K. Nissim. Certificate revocation and certificate update. In in Proceedings of the 7th USENIX Security Symposium, 1998. Google ScholarDigital Library
- ]]B.C. Neuman et al. Proxy-based authorization and accounting for distributed systems. In International Conference on Distributed Computing Systems, volume 13, pages 283--283. Citeseer, 1993.Google Scholar
- ]]O. Nordstrom and C. Dovrolis. Beware of BGP attacks. SIGCOMM Comput. Commun. Rev, 34(2):1--8, 2004. Google ScholarDigital Library
- ]]Vulnerability note VU#102795 OpenSSL servers contain a bu er overflow during the SSL2 handshake process, Aug 2002. http://www.kb.cert.org/vuls/id/102795.Google Scholar
- ]]PEAR - PHP Extension and Application Repository. http://pear.php.net/.Google Scholar
- ]]Python package index : Pypi. http://pypi.python.org/pypi.Google Scholar
- ]]Critical: openssh security update, Aug 2008. http://rhn.redhat.com/errata/RHSA-2008-0855.html.Google Scholar
- ]]R. Rivest. Can we eliminate certificate revocation lists? In Financial Cryptography, pages 178--183. Springer, 1998. Google ScholarDigital Library
- ]]RubyGems manuals. http://docs.rubygems.org/.Google Scholar
- ]]Signing your gems - RubyGems user guide. http://docs.rubygems.org/read/chapter/21.Google Scholar
- ]]Seattle: Open peer-to-peer computing. http://seattle.cs.washington.edu/.Google Scholar
- ]]V. Shoup. Practical threshold signatures. In Advances in Cryptology - EUROCRYPT 2000, pages 207--220. Springer, 2000. Google ScholarCross Ref
- ]]Christopher Soghoian and Sid Stamm. Certified lies: Detecting and defeating government interception attacks against SSL. Technical Report 684, Indiana University Computer Science Department, April 2010.Google ScholarCross Ref
- ]]Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. MD5 considered harmful today: Creating a rogue CA certificate, Dec 2008. http://www.win.tue.nl/hashclash/rogue-ca/.Google Scholar
- ]]Tor: anonymity online. http://www.torproject.org/.Google Scholar
- ]]Securing python package management - tuf: The update framework. http://www.updateframework.com/wiki/SecuringPythonPackageManagement.Google Scholar
- ]]/specs/tuf-spec.txt - TUF: The Update Framework. https://www.updateframework.com/browser/specs/tuf-spec.txt.Google Scholar
- ]]V. Varadharajan, P. Allen, and S. Black. An analysis of the proxy problem in distributed systems. In 1991 IEEE Computer Society Symposium on Research in Security and Privacy, 1991. Proceedings., pages 255--275, 1991.Google ScholarCross Ref
- ]]Florian Weimer. {security} {DSA 1571--1} new openssl packages fix predictable random number generator, May 2008. http://lists.debian.org/debian- security-announce/2008/msg00152.html.Google Scholar
- ]]YaST - openSuSE. http://en.opensuse.org/YaST.Google Scholar
- ]]Yum: Yellow Dog Updater Modified. http://linux.duke.edu/projects/yum/.Google Scholar
Index Terms
- Survivable key compromise in software update systems
Recommendations
Revocable hierarchical identity-based encryption via history-free approach
In the context of Identity-Based Encryption (IBE), both revocation and delegation of key generation are important functionalities. Although a number of IBE schemes with either efficient revocation or efficient delegation of key generation functionality ...
Revocable IBE Systems with Almost Constant-Size Key Update
6th International Conference on Pairing-Based Cryptography --- Pairing 2013 - Volume 8365Identity-based encryption IBE has been regarded as an attractive alternative to more conventional certificate-based public key systems. It has recently attracted not only considerable research from the academic community, but also interest from the ...
Revocable hierarchical identity-based encryption
In practice, revocation functionality is indispensable to the public key cryptosystems since there are threats of leaking a secret key by hacking or legal situation of expiration of contract for using system. In the public key infrastructure setting, ...
Comments