State Machine Model for The Update Framework (TUF)

TL;DR

This paper presents a state machine model to analyze how different signature algorithms impact the security and performance of The Update Framework (TUF) in software update systems, especially considering post-quantum cryptography.

Contribution

It introduces a formal state machine model that captures the effects of signature algorithm choices on TUF's update process and security properties.

Findings

Model quantifies impact of signature algorithms on TUF

Assesses implications for post-quantum cryptography

Provides insights for secure update system design

Abstract

The Update Framework or TUF was developed to address several known weaknesses that have been observed in software update distribution and validation systems. Unlike conventional secure software distribution methods where there may be a single digital signature applied to each update, TUF introduces four distinct roles each with one or more signing key, that must participate in the update process. This approach increases the total size of each update package and increases the number of signatures that each client system must validate. As system architects consider the transition to post-quantum algorithms, understanding the impact of new signature algorithms on a TUF deployment becomes a significant consideration. In this work we introduce a state machine model that accounts for the cumulative impact of of signature algorithm selection when used with TUF for software updates.