Ying Li, David Lawrence - When the going gets tough, get TUF going

Transcript

1. When the going gets tough, Get TUF going! David Lawrence

   - @endophage Ying Li - @cyli Docker Security Team

2. Where does software come from?

3. $> _

4. $>curl | sudo bash

5. None

6. •authenticity

7. None
8. None

9. •authenticity •integrity

10. None
11. None

12. •authenticity •integrity •freshness

13. $> pip install foo

14. •authenticity (TLS) •integrity (TLS) •freshness

15. •integrity foo==1.0 --hash=sha256:492f6b208a9… requirements.txt

16. •authenticity (TLS) •integrity (TLS + hash ) •freshness (cache)

17. None

18. python setup.py upload no TLS twine upload TLS web form

    TLS curl / other maybe TLS foo
19. None

20. • authenticity • integrity • freshness • ease of use

21. Get TUF (The Update Framework)

22. None

23. TUF repository

24. TUF repository packages

25. root timestamp snapshot targets delegation

26. Root: Timestamp: Snapshot: Targets: Expiry: ... Root Metadata

27. Offline for security • Backup in bank vault. • Use

    signing hardware

28. pip-8.1.2 : { hashes } virtualenv-15.0.1 : { hashes }

    … Expiry: ... Targets Metadata

29. Keys: { Alice: Bob: } Expiry: ... Targets Metadata A

    B pip: virtualenv: [Alice] [Bob]

30. pip-8.1.2 : { hashes } pip-8.1.1 : { hashes }

    ... Expiry: ... Delegation Metadata A virtualenv-15.0.1 : { hashes } virtualenv-15.0.0 : { hashes } ... Expiry: ... B

31. pip-8.1.2 pip-8.1.1 virtualenv-15.0.1 virtualenv-15.0.0 A B

32. virtualenv-15.0.1.whl virtualenv-15.0.1.tgz virtualenv-15.0.0.whl virtualenv-15.0.0.tgz pip pip-8.1.2.whl pip-8.1.1.whl pip-8.1.2.tgz pip-8.1.1.tgz PyPA

    virtualenv A B C A wheels source

33. • authenticity • integrity • freshness • ease of use

34. • authenticity • integrity • freshness • ease of use

35. Root : { hashes } Targets : { hashes }

    Alice : { hashes } Bob : { hashes } … Expiry: ... Snapshot Metadata

36. • authenticity • integrity • freshness • ease of use

37. Snapshot : { hashes } … Expiry: 24 hours from

    now Timestamp Metadata

38. virtualenv-15.0.1.whl virtualenv-15.0.1.tgz virtualenv-15.0.0.whl virtualenv-15.0.0.tgz pip pip-8.1.2.whl pip-8.1.1.whl pip-8.1.2.tgz pip-8.1.1.tgz PyPA

    virtualenv A B C A wheels source X

39. • authenticity • integrity • freshness • ease of use

40. Timestamp Lifetime Snapshot Targets/ Delegations Root Metadata Lifetime

41. Compromise is “when” not “if”

42. None

43. Root: Timestamp: Snapshot: Targets: Root Metadata Snapshot Metadata

44. Root: Timestamp: Snapshot: Targets: Expiry: ... Root Metadata

45. Root: Timestamp: Snapshot: Targets: Expiry: ... Root Metadata

46. Root: Timestamp: Snapshot: Targets: new Root: Timestamp: Snapshot: Targets: old

47. Root: Timestamp: Snapshot: Targets: new Root: Timestamp: Snapshot: Targets: old

    X

48. • authenticity • integrity • freshness • ease of use

49. None

50. #

51. # # #

52. None

53. #

54. None

55. #

56. • authenticity • integrity • freshness • ease of use

57. • authenticity • integrity • freshness • ease of use

58. … • auditability

59. None
60. None

61. ?

62. PEP458

63. A PEP480

64. How can we start using TUF?

65. None
66. None

67. github.com/docker/notary https://pytuf.heliocide.org

68. • “Publish your code so others can use it in

    5 easy steps” Marko Samastur • “Shipping Software To Users With Python” Glyph • “Reliably Distributing Compiled Modules” - Paul Kehrer Python Packaging

69. TUF Open Space (today: 1pm) C123-124

70. Learn More • Read the spec: github.com/theupdateframework/tuf/ (docs/tuf-spec.txt) • Look

    at Notary: github.com/docker/notary • Read the Docker Content Trust docs: docs.docker.com/engine/security/trust/content_trust/

71. Python PEPs 458 & 480 https://www.python.org/dev/peps/pep-0458 https://www.python.org/dev/peps/pep-0480

72. THANK YOU