| Software repositories, or servers that host and distribute software updates, are becoming increasingly important in a wide variety of settings, including automobiles, cloud computing, laptops, medical devices, smartphones, tablets, and the Internet of Things. This is because software updates allow for adding new features, improving existing ones, and fixing security vulnerabilities. Unfortunately, previous software update security systems, such as those using GPG, RSA, SSL / TLS, or CUP, failed to protect users when the repositories themselves, and the single key used to sign updates, have been compromised. When a repository is compromised, the impact is huge, because attackers can sign, distribute, and install malware on millions of devices, threatening national security and human lives.;In this thesis, we discuss four security systems that use The Update Framework (TUF) to build compromise-resilient repositories in various settings. These security systems allow attackers to compromise as few users as possible, even in the event of a repository compromise, without hampering usability, performance, and flexibility in normal use cases. Diplomat is a variant of TUF that provides near-perfect compromise-resilience for community repositories, while allowing real-time registration of new projects by anyone at any time. Mercury is a variant of Diplomat which is able to use low bandwidth costs to prevent rollback attacks on community repositories with a large number of frequently updated projects. Trident is a variant of Mercury that allows users to securely update software drawn from multiple repositories, and stipulate what files they are allowed to take from each of them. Lastly, Uptane is a fork of Trident that takes features from all of these systems to solve problems unique to the automotive domain.;Diplomat, Mercury, and Trident have been standardized and incorporated into the latest versions of TUF, which is being integrated by Haskell, OCaml, RubyGems, Rust, and Python, and is being used in production by LEAP, Flynn, DigitalOcean, VMware, CoreOS, and Docker. At the time of this writing, three automotive suppliers, Advanced Telematic Systems, Lear Corporation, and OTAinfo, as well as an original equipment manufacturer are integrating Uptane, with others following suit. |
