The insecurity of most software update systems poses a major security risk. As a result, an attacker with a minimal amount of technical knowledge can cause a huge amount of damage to a huge number of computers. This poses a potential crisis for global security, with the scientific community a particularly likely victim. The scientific community possesses computational resources that are particularly attractive to hackers. The high speed networks and computation available to scientists would make an excellent platform for sending SPAM, flooding major sites with traffic to knock them off the Internet (DDOS), or even launching cyber-warfare attacks against US targets. TUF (The Update Framework) is a tool, developed in prior research by the PI, to secure their new or existing software update systems. Software update systems are vulnerable to many known attacks, including those that can result in clients being compromised or crashed. TUF helps solve this problem by providing a flexible security framework that can be added to software updaters. This project will transition our TUF tool into practical use for secure package management. The added security will be completely invisible to users unless an attack is underway, silently preventing malicious package manager attacks from being effective. TUF provides unique capabilities for secure key revocation, private security update retrieval, and offline/online hybrid role protections. This work will protect millions of government systems, military servers, scientists, and average internet users from attack.
TTP: Securing Python Package Management with The Update Framework (TUF)