Software Update Security

From a translator: I stumbled upon TheUpdateFramework while searching for libraries that implement automatic software updates on the desktop. On the one hand, the description of the security aspects of software update systems presented below was interesting and detailed to me; on the other - for sure, in addition to academic studies, although under the wing of LinuxFoundation, you can find many suitable solutions. You can suggest options in the comments.



We can consider a software update system “safe” if:

To achieve this, workable preventive strategies are required against many potential attacks.

Attacks and weaknesses

Listed below are some of the known attacks on software update systems, including weaknesses that make these attacks possible. To design a secure software update framework, you need to understand these attacks and develop protection strategies. Some of these shortcomings may be related to each other, depending on the architecture and implementation of a particular software update system.

Safety principles

In order to make sure that the system is protected from all the attacks described above, the architecture and implementation of the Update Framework (TUF) relies on several basic concepts. Details of how TUF transmits the information described above can be found in the metadata documentation .

The trust

Trusting the downloaded files actually means assuming that the files were provided by a party without vulnerable architectural solutions. The two often elusive aspects of trust in a software update system are:

Key risk reduction (resistance to compromise)

Cryptographic signatures are an essential component of security in software update systems. The security of keys used in these signatures directly affects the security of clients that the system protects. Instead of naively believing that private keys can never be compromised, secure software update systems should foresee how to protect clients from the possibility of compromising these keys. This is the basic principle of resistance to compromise.

Securing customers when a key is compromised includes:


Ensuring integrity in the Update Framework (TUF) applies not only to individual files, but also to the repository as a whole. It is pretty obvious that clients should verify that individual files are correct. Already not so obvious, but it is still very important for clients to be sure that the audit of the repository as a whole is correct. For example, if a trusted source provides two files, the software update system should see the latest versions of both files (not just one), and only those versions of these two files that exist in the repository at a time.


Since software updates often fix vulnerabilities, it is important for software update systems to obtain the latest available versions. An attacker may try to force the client to install outdated versions of the software, or simply convince the client that there are no new updates.

Ensuring relevance means:

It is worth noting that if the attacker responds to customer requests, it is not always possible to conduct a successful update. However, the client must be able to determine the likelihood of updates that it cannot receive.

Implementation Security

In addition to a secure architecture, TUF also works against implementation vulnerabilities, including vulnerabilities common to software update systems. In some cases, the inclusion of additional information in the update metadata is used for this. For example, knowing the expected size of the downloaded file allows TUF to limit the amount of downloaded data. As a result, TUF is protected against the infinite data attack discussed above.


All Articles