when the going gets tough get tuf going
play

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - - PowerPoint PPT Presentation

Jan 02, 2024 •383 likes •1.53k views

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF? Using TUF Hermetic Builds Where does software come from? $> _ $>curl | sudo bash $>apt-get install authenticity $>apt-get

  1. Root Metadata Root: Timestamp: USA Snapshot: Switzerland Targets: China Expiry: ...

  2. Offline for security • Backup in bank vault • Use signing hardware

  3. TUF repository packages ?

  4. Targets Metadata java : { hashes } openssl : { hashes } … Expiry: ...

  5. Targets Metadata Keys: { Alice: A Bob: B } java: [Alice] openssl: [Bob] Expiry: ...

  6. Delegation Metadata java-8-jre : { hashes } A java-7-jre : { hashes } ... Expiry: ... openssl-1.0.1t : { hashes } B openssl-1.0.2h : { hashes } ... Expiry: ...

  7. java-8-jre A java-7-jre openssl-1.0.1t B openssl-1.0.2h

  8. jdk java java-8-jdk C java-7-jdk A jre apt java-8-jre A java-7-jre openssl openssl-1.0.1t B openssl-1.0.2h

  9. jdk java java-8-jdk C java-7-jdk A jre apt java-8-jre A java-7-jre openssl openssl-1.0.1t B openssl-1.0.2h D E

  10. • authenticity • integrity • freshness • survivable key compromise • thresholding

  11. • authenticity • integrity • freshness • survivable key compromise • thresholding

  12. • authenticity • integrity • freshness • survivable key compromise • thresholding

  14. Snapshot Metadata Root : { hashes } Targets : { hashes } Alice : { hashes } Bob : { hashes } … Expiry: ...

  16. • authenticity • integrity • freshness • survivable key compromise • thresholding

  17. Timestamp Metadata Snapshot : { hashes } … Expiry: 24 hours from now

  18. jdk java java-8-jdk C java-7-jdk A jre apt java-8-jre A java-7-jre openssl X openssl-1.0.1t B openssl-1.0.2h D E

  19. • authenticity • integrity • freshness • survivable key compromise • thresholding

  23. #

  24. # # #

  26. #

  28. #

  29. Metadata Lifetime Timestamp Snapshot Targets/ Delegations Root Lifetime t

  30. Keeping Freshness Timestamp Snapshot Targets/ Delegations Root Lifetime t

  31. Snapshot Expired! Timestamp Snapshot Targets/ Delegations Root Lifetime t

  32. Sign a new Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t

  33. Sign a new Timestamp to point the Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t

  34. Want to publish something? Timestamp Snapshot Targets/ Delegations Root Lifetime t

  35. Sign the hash into a new Targets or Delegation file Timestamp Snapshot Targets/ Delegations Root Lifetime t

  36. Sign a new Snapshot that references this Targets file Timestamp Snapshot Targets/ Delegations Root Lifetime t

  37. Sign a new Timestamp that references the new Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t

  38. Situation normal Timestamp Snapshot Targets/ Delegations Root Lifetime t

  39. Oh no, I think my Snapshot key was compromised! Timestamp Snapshot Targets/ Delegations Root Lifetime t

  40. Compromise is “when” not “if”

  42. Root: Root Timestamp: Metadata Snapshot: Targets:

  43. Root: Root Timestamp: Metadata Snapshot: Targets: Snapshot Metadata

  44. Before recovery Timestamp Snapshot Targets/ Delegations Root Lifetime t

  45. Create and sign the new Snapshot key into Root Timestamp Snapshot Targets/ Delegations Root Lifetime t

  46. Sign a new Snapshot with the new key Timestamp Snapshot Targets/ Delegations Root Lifetime t

  47. Sign new Timestamp to reference new Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t

  48. GPG TUF • authenticity • integrity • freshness • survivable key compromise • thresholding • ease of use coming soon!

  49. • … • auditability

  51. ?

  52. How can we start using TUF?

  54. Demo • ease of use?

  55. Demo

  56. • authenticity • integrity • freshness • survivable key compromise • thresholding • ease of use

  57. github.com/docker/notary

  58. $> export DOCKER_CONTENT_TRUST=1

  61. alpine

  62. alpine latest: {hash} edge: {hash} 2.6: {hash} 3.3: {hash} 3.4: {hash}

  63. $> $pkg-manager install openssl

  64. Design Goals: - root of trust in package manager maintainers - with thresholding - freshness guarantees - signed index of all packages - signed package targets by package maintainers - name to hash resolution - with thresholding

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

When%the%going%gets%tough% % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%the%tough%get%branding%%

When%the%going%gets%tough% % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%the%tough%get%branding%%

When%the%going%gets%tough% % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%the%tough%get%branding%% Who:%William%Kes5n% % The%CEO%of%the%Australasian%Promo5onal%Product%Associa5on%(APPA)%and%%

463 views • 43 slides
Tough Arches, Tough Access, and Alternate Access Sasko Kedev University Clinic of Cardiology-

Tough Arches, Tough Access, and Alternate Access Sasko Kedev University Clinic of Cardiology-

Carotid Stenting Technique: Tough Arches, Tough Access, and Alternate Access Sasko Kedev University Clinic of Cardiology- Skopje Macedonia Disclosure Statement of Financial Interest Within the past 12 months, I or my spouse/partner have had a

1.1k views • 80 slides
Core message of the MTBPS Tough times require tough decisions. We are committed to making them.

Core message of the MTBPS Tough times require tough decisions. We are committed to making them.

Core message of the MTBPS Tough times require tough decisions. We are committed to making them. Working together, we can grow the economy for the benefit of all Radical economic transformation is required to change the economy to include

443 views • 21 slides
UK Anti-Bribery Act: Meeting the Tough New Requirements Tough New Requirements Minimizing

UK Anti-Bribery Act: Meeting the Tough New Requirements Tough New Requirements Minimizing

presents presents UK Anti-Bribery Act: Meeting the Tough New Requirements Tough New Requirements Minimizing Corruption Risks Under Both the FCPA and UK Law A Live 90-Minute Teleconference/Webinar with Interactive Q&A A Live 90-Minute

1.16k views • 52 slides
SMALL, LARGE, TOUGH, AND UGLY: STRATEGIES FOR BUILDING DEMAND IN TOUGH MARKETS Michael Taylor,

SMALL, LARGE, TOUGH, AND UGLY: STRATEGIES FOR BUILDING DEMAND IN TOUGH MARKETS Michael Taylor,

SMALL, LARGE, TOUGH, AND UGLY: STRATEGIES FOR BUILDING DEMAND IN TOUGH MARKETS Michael Taylor, President, Vita Nuova LLC & Neil Pariser, Vice President and Community Development, Vita Nuova LLC Relevant Sites: Vitanuova.net |

435 views • 28 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA The Going Gets Tough: State Capacity To

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA The Going Gets Tough: State Capacity To

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA The Going Gets Tough: State Capacity To Support Federal School Turnaround Principles Caitlin Scott and Nora Ostler AERA 2015 On September 23, 2011, who said: I am writing to offer you

249 views • 24 slides
EASM 2014 increased physical activity, in general), education and health policy. It became clear

EASM 2014 increased physical activity, in general), education and health policy. It became clear

TOUGH LOVE OR TOUGH LUCK? ENGLISH NATIONAL GOVERNING BODIES OF SPORT AND THE ONGOING CHALLENGE OF DRIVING UP PARTICIPATION Submitting author: Dr Marc Keech University of Brighton, School of Sport and Service Management Eastbourne, BN20

986 views • 3 slides
Sometimes its tough to get everyone in your company on the same page when it come to content,

Sometimes its tough to get everyone in your company on the same page when it come to content,

Sometimes its tough to get everyone in your company on the same page when it come to content, but even your I.T. professionals can benefit from sharing and knowing whats happening with the blog Create a Channel for Blog Posts to Discuss

468 views • 4 slides
Fired Up Fundraising: Engage Your Board and Find New Opportunities in a Tough Economy Sioux

Fired Up Fundraising: Engage Your Board and Find New Opportunities in a Tough Economy Sioux

Fired Up Fundraising: Engage Your Board and Find New Opportunities in a Tough Economy Sioux Falls Community Foundation May 11, 2009 CRISIS Danger + Opportunity Engage Your Board and Find New . Opportunities in a Tough Economy OUR AGENDA

819 views • 59 slides
- For tough users in rough environments Background The environment is not always

- For tough users in rough environments Background The environment is not always

- For tough users in rough environments Background The environment is not always predictable and you need to prepare The Panel What is Sirius? -A very rugged touch screen that remote controls a Motorola MotoTrbo radio The

354 views • 17 slides
Tough Question: What will it take to identify the mechanism for baryogenesis or leptogenesis?

Tough Question: What will it take to identify the mechanism for baryogenesis or leptogenesis?

Tough Question: What will it take to identify the mechanism for baryogenesis or leptogenesis? Are there scenarios that could conceivably be considered to be established by experimental data in the next 20 years? What experiments are required

392 views • 6 slides
How do you chew? I need to eat I need to break I want to eat down hard grains tough foods that

How do you chew? I need to eat I need to break I want to eat down hard grains tough foods that

How do you chew? I need to eat I need to break I want to eat down hard grains tough foods that EVERYTHING! and seeds... but I other animals cant dont have any teeth! digest. How does a cow eat? They have special stomachs with four

341 views • 4 slides
Control and Tough -Movement Carl Pollard Department of Linguistics Ohio State University

Control and Tough -Movement Carl Pollard Department of Linguistics Ohio State University

Control and Tough -Movement Carl Pollard Department of Linguistics Ohio State University February 2, 2012 Carl Pollard Control and Tough -Movement Control (1/5) We saw that PRO is used for the unrealized subject of nonfinite

430 views • 28 slides
Reading Life Between the Lines: Using Childrens Literature for Tough Conversations about

Reading Life Between the Lines: Using Childrens Literature for Tough Conversations about

Reading Life Between the Lines: Using Childrens Literature for Tough Conversations about Diversity Michelle H. Martin, Beverly Cleary Professor for Children & Youth Services & MLIS Chair, UW iSchool Created with J. Elizabeth Mills,

730 views • 30 slides
Religion, Sex & Politics, Oh My! Handling Tough Situations While Encouraging Diversity &

Religion, Sex & Politics, Oh My! Handling Tough Situations While Encouraging Diversity &

Religion, Sex & Politics, Oh My! Handling Tough Situations While Encouraging Diversity & Inclusion Presented By: Anne T. McKnight & Beverly Watts Where Are We? Conflicting Perspectives Intensified Political Environment

820 views • 32 slides
When the going gets tough, the Dutch get going Edwin Spaans, PharmD Clinical

When the going gets tough, the Dutch get going Edwin Spaans, PharmD Clinical

When the going gets tough, the Dutch get going Edwin Spaans, PharmD Clinical Pharmacologist, ErasmusMC Sophia Childrens Hospital Director Clinical Research, Kinesis-Pharma Development Officer, Dutch MCRN Past Different

286 views • 13 slides
VERSION CONTROL AND GIT 1 / 23 PROBLEM SCENARIO 1: WORKING ALONE How do you keep track of

VERSION CONTROL AND GIT 1 / 23 PROBLEM SCENARIO 1: WORKING ALONE How do you keep track of

VERSION CONTROL AND GIT 1 / 23 PROBLEM SCENARIO 1: WORKING ALONE How do you keep track of changes, and different versions of your work? 2 / 23 SOLUTION? 3 / 23 PROBLEM SCENARIO 2: WORKING IN A TEAM "My changes got overwritten!"

1.06k views • 27 slides
CSCI 2132 Software Development Lab 3: SVN Source Version Control Tutorial Instructor: Vlado

CSCI 2132 Software Development Lab 3: SVN Source Version Control Tutorial Instructor: Vlado

CSCI 2132 Software Development Lab 3: SVN Source Version Control Tutorial Instructor: Vlado Keselj Faculty of Computer Science Dalhousie University 20-Sep-2018 (3) CSCI 2132 1 Lab Overview Learning about SVN Source Version Control

510 views • 26 slides
Version Control with git or: Why you dont want to live without it! living knowledge WWU

Version Control with git or: Why you dont want to live without it! living knowledge WWU

W ESTFLISCHE W ILHELMS -U NIVERSITT M NSTER Version Control with git or: Why you dont want to live without it! living knowledge WWU Mnster October 15th, 2014 W ESTFLISCHE W ILHELMS -U NIVERSITT M NSTER Version Control with git

681 views • 36 slides
Welcome and Introduction Welcome and Introduction Programming for Statistical Programming for

Welcome and Introduction Welcome and Introduction Programming for Statistical Programming for

Welcome and Introduction Welcome and Introduction Programming for Statistical Programming for Statistical Science Science Shawn Santo Shawn Santo 1 / 20 1 / 20 Supplementary materials Companion videos Overview 2 / 20 Introduction

616 views • 20 slides
Rough times? TUF shines A Framework for Secure Software Updates Trishank Karthik Kuppusamy,

Rough times? TUF shines A Framework for Secure Software Updates Trishank Karthik Kuppusamy,

Rough times? TUF shines A Framework for Secure Software Updates Trishank Karthik Kuppusamy, Vladimir Diaz, Sebastien Awwad Lukas Phringer , Justin Cappos Software updates Experts agree that software updates are the most important thing

613 views • 27 slides
Upgrade to MongoDB 4.0 Antonios Giannopoulos DBA @ Rackspace/ObjectRocket

Upgrade to MongoDB 4.0 Antonios Giannopoulos DBA @ Rackspace/ObjectRocket

Upgrade to MongoDB 4.0 Antonios Giannopoulos DBA @ Rackspace/ObjectRocket linkedin.com/in/antonis/ 1 Introduction Antonios Giannopoulos www.objectrocket.com 2 Overview Upgrade Procedure Application Layer Middleware

750 views • 60 slides
Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 6 has been released

Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 6 has been released

Principles of Software Construction: Objects, Design, and Concurrency DevOps Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 6 has been released Sequential implementation due by Tuesday, Nov. 26 Parallel

597 views • 47 slides
Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary services is called hardening a router to prevent attacks or exploits. The basic steps of router hardening are: 1) Administratively shut down

102 views • 8 slides

More recommend