A secure updater framework for Python
TUF (The Update Framework) helps developers secure their new or existing software update systems. Software update systems are vulnerable to many known attacks, including those that can result in clients being compromised or crashed. TUF helps solve this problem by providing a flexible security framework that can be added to software updaters.
Generally, a software update system is an application (or part of an application) running on a client system that obtains and installs software. This can include updates to software that is already installed or even completely new software.
Three major classes of software update systems are:
There are literally thousands of different software update systems in common use today. (In fact the average Windows user has about two dozen different software updaters on their machine!)
We are building a library that can be universally (and in most cases transparently) used to secure software update systems.
At the highest level, TUF simply provides applications with a secure method of obtaining files and knowing when new versions of files are available. We call these files, the ones that are supposed to be downloaded, “target files”. The most common need for these abilities is in software update systems and that’s what we had in mind when creating TUF.
On the surface, this all sounds simple. Securely obtaining updates just means:
The problem is that this is only simple when there are no malicious parties involved. If an attacker is trying to interfere with these seemingly simple steps, there is plenty they can do.
Let’s assume you take the approach that most systems do (at least, the ones that even try to be secure). You download both the file you want and a cryptographic signature of the file. You already know which key you trust to make the signature. You check that the signature is correct and was made by this trusted key. All seems well, right? Wrong. You are still at risk in many ways, including:
These are just some of the attacks software update systems are vulnerable to when only using signed files. See Security for a full list of attacks and updater weaknesses TUF is designed to prevent.
The following papers provide detailed information on securing software updater systems, TUF’s design and implementation details, attacks on package managers, and package management security:
In order to securely download and verify target files, TUF requires a few extra files to exist on a repository. These are called metadata files. TUF metadata files contain additional information, including information about which keys are trusted, the cryptographic hashes of files, signatures on the metadata, metadata version numbers, and the date after which the metadata should be considered expired.
When a software update system using TUF wants to check for updates, it asks TUF to do the work. That is, your software update system never has to deal with this additional metadata or understand what’s going on underneath. If TUF reports back that there are updates available, your software update system can then ask TUF to download these files. TUF downloads them and checks them against the TUF metadata that it also downloads from the repository. If the downloaded target files are trustworthy, TUF hands them over to your software update system. See Metadata for more information and examples.
TUF specification document is also available:
The home page for the TUF project can be found at: https://updateframework.com
Please visit https://groups.google.com/forum/?fromgroups#!forum/theupdateframework if you would like to contact the TUF team. Questions, feedback, and suggestions are welcomed in this low-volume mailing list.
A group feed is available at: https://groups.google.com/forum/feed/theupdateframework/msgs/atom.xml?num=50
pip - installing and managing Python packages (recommended) Installing from Python Package Index (https://pypi.python.org/pypi). Note: Please use "pip install --no-use-wheel tuf" if your version of pip <= 1.5.6 $ pip install tuf Installing from local source archive. $ pip install <path to archive> Or from the root directory of the unpacked archive. $ pip install .
The optional tuf[tools] can be installed by repository maintainers that need to generate TUF repository files, such as metadata, cryptographic keys, and signatures. Whereas the minimal install can only verify ed25519 signatures and is intended for sofware updater clients, tuf[tools] provides repository maintainers secure ed25519 key and signature generation with PyNaCl / libsodium.
TUF tools also enable general-purpose cryptography with PyCrypto. Software updaters that want to support verification of RSASSA-PSS signatures should require their clients to install tuf[tools].
Installing extras does not work if minimal install was a wheel (pip <= 1.5.6.) https://github.com/pypa/pip/issues/1885
$ pip install --no-use-wheel tuf $ pip install tuf[tools]
Development: https://github.com/theupdateframework/tuf
Virtualenv is a tool to create isolated Python environments. It also includes pip and setuptools, Python packages used to install TUF and its dependencies. All installation methods of virtualenv are outlined in the installation section and instructions for installing locally from source here:
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.11.6.tar.gz $ tar xvfz virtualenv-1.11.6.tar.gz $ cd virtualenv-1.11.6 $ python virtualenv.py myVE
PyCrypto and PyNaCl (third-party dependencies needed by the repository tools) require Python and FFI (Foreign Function Interface) development header files. Debian-based distributions can install these header libraries with apt (Advanced Package Tool.)
$ apt-get install python-dev $ apt-get install libffi-dev
Installation of minimal, optional, development, and testing requirements can then be accomplished with one command:
$ pip install -r dev-requirements.txt
The Update Framework’s unit tests can be executed by invoking tox. All supported Python versions are tested, but must already be installed locally.
$ tox
TUF has four major classes of users: clients, for whom TUF is largely transparent; mirrors, who will (in most cases) have nothing at all to do with TUF; upstream servers, who will largely be responsible for care and feeding of repositories; and integrators, who do the work of putting TUF into existing projects.
A low-level integration requires importing a single module and calling particular methods to perform updates. A high-level integration, on the other hand, can handle TUF-related updates transparently. The client populates a configuration file and the library interposes on urllib calls. Generating metadata files stored on upstream servers can be handled by the repository tool, covered in Creating a Repository.
This material is based upon work supported by the National Science Foundation under Grant No. CNS-1345049 and CNS-0959138. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
| File Name & Checksum SHA256 Checksum Help | Version | File Type | Upload Date |
|---|---|---|---|
| tuf-0.10.0.tar.gz (1.7 MB) Copy SHA256 Checksum SHA256 | – | Source | Jan 22, 2016 |
| tuf-0.10.0.zip (1.8 MB) Copy SHA256 Checksum SHA256 | – | Source | Jan 22, 2016 |
