December 19, 2019
Open-source system securing software updates 'graduates' to protect leading cloud services
The Update Framework (TUF), an open-source technology that secures software update systems, has become the first specification project to graduate from the Linux Foundation's Cloud Native Computing Foundation (CNCF). A specification—common examples of which are HTML and HTTP—allows different implementers to create core functionality in a common, precisely defined way to solve a task. Justin Cappos, lead of the TUF project and an associate professor of computer science and engineering at NYU Tandon School of Engineering, is also the first academic researcher to lead a project that has graduated from the CNCF.
This milestone signifies that TUF has achieved the highest level of maturity in the CNCF ecosystem, which fosters the development and adoption of open-source cloud technologies. TUF has become the industry standard for securing software update systems, and is now utilized by the leading providers of cloud-based services, including Amazon—which recently released a customized open-source version of TUF—Microsoft, Google, Cloudflare, Datadog, DigitalOcean, Docker, IBM, RedHat, VMware, and many others.
This latest achievement is the culmination of a decade's worth of work by Cappos and a team of contributors who developed TUF to address the frequent compromise of software repositories by cybercriminals. Software updates have long been prime targets for hackers, and the threat posed by such attacks has grown as Internet-connected devices have moved beyond computers and smartphones to include medical equipment, automobiles, and many other devices. TUF defends against a wide range of attacks, protecting end-users from malicious software even in scenarios where attackers have compromised a repository or signing key. TUF is designed to be flexible, facilitating its adoption into any software update system.
"TUF was designed so that an organization does not need to be perfect in their operational security," said Cappos. "If a company accidentally makes a signing key public, has a hacker break into their software repository, or if a disgruntled employee goes rogue, the damage they can cause is limited. Defense in depth is key to security, and the security of the software update infrastructure is among the most critical concerns in practice."
TUF, whose development was supported by the National Science Foundation and U.S. Department of Homeland Security, was selected as a project within the CNCF in 2017. That same year, Cappos, along with a team of researchers from the University of Michigan Transportation Research Institute and Southwest Research Institute developed Uptane, the automotive application of TUF. Uptane has been widely adopted by automakers—according to projections, roughly one-third of the 2023 model cars on United States roads will use Uptane.
Major contributors to TUF within NYU Tandon include doctoral graduate Trishank Karthik Kuppusamy, now chief security solutions engineer at Datadog; current doctoral students Santiago Torres and Marina Moore; and developer Lukas Puehringer, along with former developers Sebastien Awwad (now at Conda) and Vladimir Diaz, who participated as part of Cappos' Secure Systems Lab. The team also acknowledges the wide range of contributions to TUF from many organizations including Docker, Tor, and Python, as well as participants across the CNCF landscape and the automotive industry.
"We are moving into a new decade where open source software is pervasive and updated seamlessly across our lives through many devices," said Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation. "We are thrilled to see TUF secure an important part of the software supply chain and look forward to continue sustaining their community in the CNCF."
Last month, another technology co-developed by Cappos and Torres entered the CNCF Sandbox. In-toto is a free open-source system that cryptographically ensures the integrity of the software supply chain, providing an unprecedented level of assurance against attacks.