pycon logo

PyCon 2011 Atlanta

March 9th–17th

Log in or Sign Up

TUF: Secure Software Updates in Python

log in to bookmark this presentaton

Novice / Talk
March 13th 1:15 p.m. – 1:45 p.m.
From an attacker's point of view there are few entry points with as much to offer as a vulnerable software updater, yet history tells us that such vulnerabilities are common. In this talk we'll demonstrate a number of attacks, explain how common approaches fail to defend against them, and demonstrate a pure Python library (TUF) that provides both robust protection and extreme ease of use.


Vulnerabilities in software update systems expose users to huge range of potential security risks, including:

  • Freeze attacks,
  • Mix-and-match attacks,
  • Rollback attacks, and
  • Endless data attacks

In the first part of this talk, we'll demonstrate each of these against real-world software updaters and explain how commonly used countermeasures fail in application. We'll then move on to the second part of the talk, demonstrating TUF, its internals, and the mechanisms it uses to additionally defend against key compromise. Finally, we'll demonstrate how easy it is to integrate TUF into your application and its lifecycle.