LINUXCON EU v8 When the going gets tough, get...

When the going gets tough,Get TUF going!

Lily Guo - [email protected] Faizullabhoy - [email protected] / @riyazdf

Motivation

What is TUF?

Using TUF

Hermetic Builds

Where does software come from?

$>curl | sudo bash

$>apt-get install

• authenticity

$>apt-get install

• authenticity• integrity

$>apt-get install really-old-foo

$>#not after 2007 $>apt-get install really-old-foo

• authenticity• integrity• freshness

$> $pkg-manager install foo

• authenticity (TLS)• integrity (TLS)• freshness

• authenticity (TLS - transport only)• integrity (TLS - transport only)• freshness



$>apt-get install old-insecure-foo

Replay Attacks?



Survivable Key Compromise?



Trust Thresholding?

• authenticity • integrity• freshness• thresholding• survivable key compromise

• authenticity • integrity• freshness• thresholding• survivable key compromise• ease of use

Get TUF(The Update Framework)

•Diplomat: Using Delegations to Protect Community Repositories •Survivable Key Compromise in Software Update Systems •A Look in the Mirror: Attacks on Package Managers •Package Management Security

TUF repository

TUF repository packages

root timestamp snapshot targets delegation

Root:

Timestamp:

Snapshot:

Targets:

Expiry: ...

Root Metadata

Root:

Timestamp:

Snapshot:

Targets:

Expiry: ...

Root Metadata

USA

Switzerland

China

Offline for security

• Backup in bank vault

• Use signing hardware

TUF repository packages

?

java : { hashes }openssl : { hashes }…

Expiry: ...

Targets Metadata

Keys: { Alice: Bob:}

Expiry: ...

Targets Metadata

A

B

java:openssl:

[Alice][Bob]

Delegation Metadata

Ajava-8-jre : { hashes }java-7-jre : { hashes }...Expiry: ...

Bopenssl-1.0.1t : { hashes }openssl-1.0.2h : { hashes }...Expiry: ...

java-8-jre java-7-jre

openssl-1.0.1t openssl-1.0.2h

A

B


java java-8-jdkjava-7-jdk

java-8-jrejava-7-jre

apt

openssl

A

B

C

A

jdk

jre




apt

openssl

A

B

C

A

jdk

jre

E

D

Root : { hashes }Targets : { hashes }

Alice : { hashes }Bob : { hashes }…

Expiry: ...

Snapshot Metadata

Snapshot : { hashes }

…

Expiry: 24 hours from now

Timestamp Metadata

Snapshot : { hashes }

…

Expiry: 24 hours from now

Timestamp Metadata

XX




apt

openssl

A

B

C

A

jdk

jre

E

D X

# #

#

Timestamp

Lifetime

Snapshot

Targets/ Delegations

Root

Metadata Lifetime

t

Timestamp

Lifetime

Snapshot


Root

Keeping Freshness

t

Timestamp

Lifetime

Snapshot


Root

Snapshot Expired!

t

Timestamp

Lifetime

Snapshot


Root

Sign a new Snapshot

t

Timestamp

Lifetime

Snapshot


Root

Sign a new Timestamp to point the Snapshot

t

Timestamp

Lifetime

Snapshot


Root

Want to publish something?

t

Timestamp

Lifetime

Snapshot


Root

Sign the hash into a new Targets or Delegation file

t

Timestamp

Lifetime

Snapshot


Root

Sign a new Snapshot that references this Targets file

t

Timestamp

Lifetime

Snapshot


Root

Sign a new Timestamp that references the new Snapshot

t

Timestamp

Lifetime

Snapshot


Root

Situation normal

t

Timestamp

Lifetime

Snapshot


Root

Oh no, I think my Snapshot key was compromised!

t

Compromise is “when” not “if”

Root: Timestamp: Snapshot: Targets:

Root Metadata

Root: Timestamp: Snapshot: Targets:

Root Metadata

Snapshot Metadata

Timestamp

Lifetime

Snapshot


Root

Before recovery

t

Timestamp

Lifetime

Snapshot


Root

Create and sign the new Snapshot key into Root

t

Timestamp

Lifetime

Snapshot


Root

Sign a new Snapshot with the new key

t

Timestamp

Lifetime

Snapshot


Root

Sign new Timestamp to reference new Snapshot

t


coming soon!

GPG TUF

How can we start using TUF?

Demo

• ease of use?

github.com/docker/notary

http://github.com/docker/notary

alpine

latest: {hash} edge: {hash} 2.6: {hash} 3.3: {hash} 3.4: {hash}

alpine

$> export DOCKER_CONTENT_TRUST=1

$> $pkg-manager install openssl

Design Goals: - root of trust in package manager maintainers - with thresholding

- freshness guarantees

- signed index of all packages

- package targets signed by package maintainers - with thresholding

package-manager maintainer(s)

freshness


signs indexfreshness



maintainer keys



maintainer keys

openssl: {hash}


Future work: hermetic builds

Learn More• Read the spec:

• github.com/theupdateframework/tuf/ (docs/tuf-spec.txt)

• Look at Notary: • github.com/docker/notary

• Read the Docker Content Trust docs:• docs.docker.com/engine/security/trust/content_trust/

https://github.com/theupdateframework/tuf/

https://github.com/docker/notary

https://docs.docker.com/engine/security/trust/content_trust/

Booth D38 @ LinuxCon + ContainerCon

Thurs Oct 6th Orchestrating Linux Containers while Tolerating Failures - Drew ErnyUnikernels: When you Should and When you Shouldn’t - Amir ChaudhryBerlin Docker Meetup

Friday Oct 7th Tutorial: Comparing Container Orchestration Tools - Neependra KhareTutorial: Orchestrate Containers in Production at Scale with Docker Swarm - Jerome Petazzoni

THANK YOU

Root:

Timestamp:

Snapshot:

Targets:

Expiry: ...

Root Metadata

Appendix: root key rotations

Root:

Timestamp:

Snapshot:

Targets:

newRoot:

Timestamp:

Snapshot:

Targets:

old

Appendix: root key rotations

Root:

Timestamp:

Snapshot:

Targets:

newRoot:

Timestamp:

Snapshot:

Targets:

oldXAppendix: root key rotations

Appendix: DCT pull flow

Appendix: DCT pull flow

uses manifest/layer merkle tree

LINUXCON EU v8 When the going gets tough, get...

Documents

Transcript of LINUXCON EU v8 When the going gets tough, get...