The Update Framework Specification

Software is commonly updated through software update systems. These systems can be package managers that are responsible for all of the software that is installed on a system, application updaters that are only responsible for individual installed applications, or software library managers that install software that adds functionality such as plugins or programming language libraries.

Software update systems all have the common behavior of downloading files that identify whether updates exist and, when updates do exist, downloading the files that are required for the update. For the implementations concerned with security, various integrity and authenticity checks are performed on downloaded files.

We need to provide a framework (a set of libraries, file formats, and utilities) that can be used to secure new and existing software update systems.

The framework should enable applications to be secure from all known attacks on the software update process. It is not concerned with exposing information about what software is being updated (and thus what software the client may be running) or the contents of updates.

The framework should provide means to minimize the impact of key compromise. To do so, it must support roles with multiple keys and threshold/quorum trust (with the exception of minimally trusted roles designed to use a single key). The compromise of roles using highly vulnerable keys should have minimal impact. Therefore, online keys (keys which are used in an automated fashion) must not be used for any role that clients ultimately trust for files they may install.

The framework must be flexible enough to meet the needs of a wide variety of software update systems.


in-toto: Providing farm-to-table guarantees for bits and bytes | USENIX

The software development process is quite complex and involves a number of independent actors. Developers check source code into a version control system, the code is compiled into software at a build farm, and CI/CD systems run multiple tests to ensure the software’s quality among a myriad of other operations. Finally, the software is packaged for distribution into a delivered product, to be consumed by end users. An attacker that is able to compromise any single step in the process can maliciously modify the software and harm any of the software’s users.

To address these issues, we designed in-toto, a framework that cryptographically ensures the integrity of the software supply chain. in-toto grants the end user the ability to verify the software’s supply chain from the project’s inception to its deployment. We demonstrate in-toto’s effectiveness on 30 software supply chain compromises that affected hundreds of million of users and showcase in-toto’s usage over cloud-native, hybrid-cloud and cloud-agnostic applications. in-toto is integrated into products and open source projects that are used by millions of people daily.


Towards a Timely Causality Analysis for Enterprise Security

Abstract—The increasingly sophisticated Advanced Persistent
Threat (APT) attacks have become a serious challenge for enterprise IT security. Attack causality analysis, which tracks multi-hop
causal relationships between files and processes to diagnose attack
provenances and consequences, is the first step towards understanding APT attacks and taking appropriate responses. Since
attack causality analysis is a time-critical mission, it is essential
to design causality tracking systems that extract useful attack
information in a timely manner. However, prior work is limited
in serving this need. Existing approaches have largely focused on
pruning causal dependencies totally irrelevant to the attack, but
fail to differentiate and prioritize abnormal events from numerous
relevant, yet benign and complicated system operations, resulting
in long investigation time and slow responses.
To address this problem, we propose PRIOTRACKER, a backward and forward causality tracker that automatically prioritizes
the investigation of abnormal causal dependencies in the tracking
process. Specifically, to assess the priority of a system event, we
consider its rareness and topological features in the causality
graph. To distinguish unusual operations from normal system
events, we quantify the rareness of each event by developing
a reference model which records common routine activities in
corporate computer systems. We implement PRIOTRACKER, in
20K lines of Java code, and a reference model builder in 10K lines
of Java code. We evaluate our tool by deploying both systems in
a real enterprise IT environment, where we collect 1TB of 2.5
billion OS events from 150 machines in one week. Experimental
results show that PRIOTRACKER can capture attack traces that
are missed by existing trackers and reduce the analysis time by
up to two orders of magnitude.