Thandy: Secure Update for Tor

Friday, March 13, 2009

Nick Mathewson, The Tor Project

Long ago, Tor was a single executable that you could usefully run on its own. Over time, we added a relatively long list of recommended dependencies, including Privoxy to avoid DNS leaks, Vidalia for a user interface, and Torbutton for safe browsing. Now, due to the increasing complexity of our packages such as the Vidalia Bundle, the Tor Browser Bundle, and related projects, a full installation can contain five or more specially configured pieces of software.

We needed to help users keep all of this software updated. When we make security fixes, quick uptake helps narrow the window in which attackers can take advantage of newly discovered problems. But many people don't subscribe to or-announce, and so they only find out about new releases sporadically. Updates need to be easy, too: each additional upgrade step is an opportunity for people to make mistakes, and an annoyance means that more users will stay with older, insecure versions. The administration needs to be easy as well; Tor doesn't have a release engineering team, so we can't add too many hard steps to putting out each new release.

Most of all, updates need to be secure. We already sign all of our packages so that people can be sure they come from us, but most users never actually check the signatures on them. (The most careful binary-package users seem to be those who download the OS X bundles, and only around 7 percent of them actually seem to download the signature files too. We count total downloads, but don't record other user info.)

Most free Unix-like operating systems already have a built-in package distribution and update system with some amount of support for the above features, but for Windows and OS X, we're kind of out of luck: none of the existing free-software package distribution systems we evaluated had the level of security and detailed specifications we wanted.

With these goals in mind and funding from Google's Open Source Programs Office, we designed a secure update protocol primarily for Tor's needs, but can also be adapted to other software projects. It's named "Thandy" for obscure reasons, and you can check out the specifications or even try it out yourself.

I'm especially happy with Thandy's security architecture. We assume an adversary who can operate compromised mirrors and who can possibly compromise the main repository. At worst, such an adversary can DOS users' updates in a way that users can detect. Unlike lots of other update tools, we're immune to rollback attacks (where an adversary convinces users to install an old, compromised version of the software), we can detect frozen mirrors (where an adversary just doesn't serve updates), and we can even handle key compromise relatively gracefully. Most encouragingly, the fact that Thandy is both decently secure and well-specified has garnered us some attention from serious security researchers like Justin Cappos, coauthor of a great paper about software updaters in last year's CCS, a conference on computer and communications security.

The software is still in an experimental stage, and there are a number of efficiency opportunities it would be neat for us (or anybody) to follow up on in the future, but so far it seems to be working well. Have a look at the source, and let me know if you're interested on hacking on it!