1# Security audit of go-tuf
2
3## The Update Framework
4
5## Radoslav Dimitrov - 06/13/2023
6
7go-tuf, a Go implementation of The Update Framework (TUF), plays a critical role in securely managing
8software updates. Recently, a security assessment conducted by X41 D-Sec GmbH uncovered a few
9security-related findings in go-tuf. The following blog post provides a concise overview of the
10assessment's key findings and recommendations.
11
12The assessment identified two vulnerabilities of medium and low severity in go-tuf, along with
13four additional issues without immediate security implications. Even though there are no
14high-severity issues, these vulnerabilities still pose risks in update integrity and local file
15overwrite scenarios.
16
17To address the vulnerabilities, it was recommended to implement measures such as linking versions
18and making root metadata project-specific. Additionally, validating signatures for all files
19processed by go-tuf will enhance protection against file manipulation during transit. Alongside
20the identified vulnerabilities, the security assessment highlighted that the “keys” directory had
21been assigned with world-readable permissions. Although this does not directly expose key files to
22local attackers, it is considered a best practice to assign only the minimum necessary permissions.
23
24Despite the discovery of only a few vulnerabilities and weaknesses, go-tuf demonstrates a high level
25of maturity in terms of security. The security assessment conducted by X41 D-Sec GmbH underscores
26the importance of continuously improving the project's security posture and implementing best practices.
27Alongside maintaining the project, the maintainers of go-tuf are also working on a new code base
28which is based on the positive redesign of python-tuf. This new code base is designed to be more
29efficient, user-friendly, and easier to maintain. The ongoing efforts of the maintainers to improve
30the project's design and simplicity will contribute to the overall health and long-term success
31of go-tuf. By implementing the recommended measures, adhering to best practices, and leveraging
32the advancements in the new code base, go-tuf will continue to provide a reliable and secure solution
33for managing software updates.
View as plain text