VMware’s supply chain software team has been actively contributing to the world of open-source projects with a strong focus on ensuring the integrity of software updates within the supply chain ecosystem. By making impactful contributions to this field, the team works on enhancing the security and reliability of today’s software systems.
In previous blog posts, we introduced The Update Framework (TUF), an open-source framework designed to secure software update systems. We also provided guidance on leveraging TUF and other industry tools to strengthen software supply chains. In this post, we’ll share the results of a recent security assessment of the Go implementation of TUF. go-tuf is one of the most widely adopted TUF implementations used by many projects, including sigstore, where it plays a critical role in securing the distribution of their trusted keys and protecting their infrastructure. Demonstrating our commitment to the project’s importance, VMware initiated a comprehensive security assessment of the go-tuf project.
During the security assessment conducted by X41 D-Sec GmbH, several vulnerabilities were discovered in go-tuf. While two of these vulnerabilities were rated as medium and low severity, four additional issues were identified without immediate security implications. These findings might impose potential risks to update integrity and file overwrite scenarios. To mitigate the identified vulnerabilities, it is recommended to implement measures such as version linking and project-specific root metadata in go-tuf. Additionally, validating signatures for all files processed by go-tuf will enhance protection against file manipulation during transit. Alongside the identified vulnerabilities, the security assessment highlighted that the “keys” directory had been assigned with world-readable permissions. Although this does not directly expose key files to local attackers, it is considered a best practice to assign only the minimum necessary permissions.
Despite the discovery of only a few vulnerabilities and weaknesses, go-tuf demonstrates a high level of maturity in terms of security. The security assessment conducted by X41 D-Sec GmbH underscores the importance of continuously improving the project’s security posture and implementing best practices. Alongside maintaining the project, the maintainers of go-tuf are also working on a new code base inspired by the successful redesign of python-tuf. This new implementation is designed to be more efficient, user-friendly, and easier to maintain. The ongoing efforts of the maintainers to improve the project’s design and simplicity will contribute to the overall health and long-term success of go-tuf. By implementing the recommended measures, following the best practices, and leveraging the advancements in the new code base, go-tuf will continue to provide a reliable and secure solution for managing software updates. Another example of VMware’s continuous efforts in enhancing supply chain software security not only inspires trust but also contributes to the broader improvement and resilience of the software ecosystem.
Stay tuned to the Open Source Blog and follow us on Twitter for more deep dives into the world of open source contributing.
