Security Audit of Go TUF

X41 performed a source code audit of the Go implementation of TUF (The Update Framework), a mechanism for delivering software updates securely, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the green light has been given by the Go TUF development team.

Full report of the security audit:
https://www.x41-dsec.de/static/reports/X41-go-tuf-Audit-2023-Final-Report-PUBLIC.pdf

Audit Results

The workflow for so-called threshold signatures is not specified. Depending on how the repository is managed where multiple key holders need to sign the same data, the owner of the storage location (not necessarily operated by a key holder) could replace some of the files with symlinks. One of the key holders could also perform the attack, as the functionality is meant to prevent a compromise of a single system leading to the compromise of the update mechanism. By symlinking one of the target files to something like /home/targetperson/.bashrc, operating on the repository could result in that file being overwritten on the other key holder’s system with attacker-controlled code. Because this attack can be powerful but relies on external circumstances, this was assigned a medium rating.

Another finding relates to updates not being tied to a repository. The signature is checked, but if a maintainer has a second project where the same key is used for update signing, update files from this second project could be placed in the former. If the version number is greater, clients will not see this as a rollback attack and use the data as though it is a valid update. While code execution via this mechanism is unlikely (as this depends on circumstances such as the same filename being used for both projects’ release files), the unexpected data could lead to the software becoming unavailable to users.

Several other improvements were identified to improve defense-in-depth. X41 also evaluated what attack surface may be suitable for fuzz testing and described the results in section 4.2 of the report.

Overall, the project shows that it was designed with security in mind, but can be further improved to be secure under a wider range of circumstances.

For more information on The Update Framework see their homepage:
https://theupdateframework.io/

OSTIF’s announcement can be found at:
https://ostif.org/go-tuf-on-bugs-ostifs-audit-of-go-tuf/

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!