Riyaz Faizullabhoy
Oct 28, 2016 at 12:00 PM in 380 Soda Hall
Title:When the Going Gets Tough, Get TUF Going!
Abstract: XSS, CSRF, and SQL injections are all severe vulnerabilities found in buggy software, but where did that buggy software come from in the first place? In reality, securing software installation and updates is an equally challenging, if not more challenging problem than developing secure systems to combat runtime vulnerabilities. Enter The Update Framework (TUF): a fully fledged signing framework that helps developers secure new or existing software update systems. TUF protects against data tampering, freeze and rollback attacks, and many cases of key compromise. This presentation will discuss both the attacks that TUF protects against and how it actually does so under the hood. Additionally, this presentation will demonstrate the usability aspects of TUF, and dive into a battle-tested production implementation of TUF.
Bio: Riyaz is a security engineer at Docker, where he's currently focused on Notary: a content signing platform based on The Update Framework. Riyaz has previously spoken at LinuxCon, Docker meetups, and led the "Docker Security" workshop at Dockercon 2016. Prior to working at Docker, Riyaz was a grad student at UC Berkeley and completed his undergraduate degree at UC Berkeley in 2014.