Security Audit of The Update Framework

X41 performed a source code audit of The Update Framework, a specification for secure updates with a reference implementation in Python, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the green light has been given by the TUF development team.

Full report of the security audit:
https://www.x41-dsec.de/static/reports/X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf

Audit Results

The most severe issue discovered pertains to file permissions set on private key files when using the basic usage instructions. An attacker who already has access to the local system as another user could read these files, for example as a tenant on a shared server system, and use the keys to sign malicious updates.

Another weakness exists in Python’s JSON parser (parallel discovery of CVE-2020-107351), where an attacker could supply a JSON update file at the configured size limit and trigger the parser to hang for a while. The amount of time depends on this size limit and one’s CPU speed. By default, on a regular system, the time is on the order of a few minutes. This might frustrate users and cause them to abort the update process, leaving them on an old release. The project aims to always show clear error messages so that developers using the framework can act accordingly. By aborting, no error code would be returned to the software and this would go unnoticed.

Several other improvements were identified to improve defense-in-depth and reduce ambiguity in the specification.

Overall, the project shows a high maturity in terms of security. Having a specification as a human-readable description of what the code should do makes it possible to better reason about and more easily verify the code.

TUF’s announcement of the release can be found here:
https://theupdateframework.github.io/python-tuf/2022/10/21/python-tuf-security-assessment.html

OSTIF’s announcement can be found at:
https://ostif.org/our-audit-of-python-tuf-is-complete-multiple-issues-found-and-fixed/


If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!