Joomla's TUF time is a winner at cloudfest hackathon
Joomla was one of the winners of the CloudFest Hackaton with its TUF Project.
Elisa Foltyn shared with our readers some notes about the hackaton initiative.
Imagine developers from all over the cloud industry teaming up to create innovative solutions for tech issues... that is what The CloudFest Hackathon is all about. Developers meet in Rust, Germany to solve problems. This year’s CloudFest Hackathon took place in March. There were a lot of issues to be worked on, and one was a Joomla issue: integrating secure updates. Elisa Foltyn tells us about all the awesome things that happened.
Hi, I’m Elisa and I applied for the participation at the Cloudfest hackathon 2022 and was very happy to be elected to be one of the lucky ones to take part in the event. At first, I felt a bit disappointed to see only some WordPress Projects announced. I was wondering if I would find “my place”. Luckily there was one Joomla project added, so I knew where my heart could be.
I arrived at the event on Saturday, 19th March, in the afternoon, when already a a team of nine people started to work at the #cloudfest #hackathon to create a proof of concept to integrate secure updates into Joomla with “The Update Framework” (TUF). So my first question was: “What is this all about?”
Have you ever heard of a supply chain attack?
So basically a supply chain attack would look like that: Your CMS Installation tells you that it needs to be updated and you click on “Update now”. At this moment your CMS is requesting a compressed version of the update from the update server, unpacks and installs it. But what if meanwhile the update server has been hijacked, the package has been hacked or otherwise compromised?
Exactly that happened to a lot of bigger companies like Adobe, Microsoft and others, resulting in huge damage.
“The Update Framework” (TUF) is a framework designed to deliver signed updates for all kinds of software.
Updates of the current open source CMS are not secured with cryptographic signatures yet. Signing updates would ensure the legitimacy of the updates. The team project at the Cloudfest Hackathon was to implement “The Update Framework” (TUF) and integrate it into Joomla to make sure that no contaminated version of the CMS could be installed.
“I wish there would be automated updates for Joomla”
Implementing a security concept like TUF is obligatory to be able to offer automated updates in a secure way. Imagine millions of websites get automated updates at the same time with a compromised version. Not imaginable (or just in the WordPress World? ;-)). So therefore TUF is the obvious solution to make such a feature possible.
What tasks had to be done at the Hackathon
On day 1 we formed three teams to face the challenge, and defined the organizational structure. I was in the organization team, where we made a rough draft about who is eligible to get a root key and who gets a delegated key. We researched different options and decided that a HSM (a hardware security module: a physical device that manages digital keys) would be the best option to generate and store the root keys. We discussed the expiration dates of the keys and what to do if a root key holder leaves his role. We discussed how many keys would be needed for a Joomla release and how many root keys are needed for a root key change.
Of course we had some obligatory #jbeer too.
The Hackathon was organized to be as safe as possible during the pandemic time, so all participants needed to be vaccinated AND tested. I don’t want to make any reader jealous, but it was much needed to see my Joomla friends again in real life and to have chit chat and sit together.
Back to the work part
On day 2 and after defining all the regulations, Stefan Wendhausen (the Joomla Translations Coordinator) and Niels Nübel formed a team to extend and rewrite the TUF PHP client. The client checks for new versions of the update metadata and updates it. They worked on removing the hardcoded dependency for the Guzzle HTTP library and created a pull request for the PHP-TUF-client to add Joomla's HTTP-Layer as a data transport adapter and make the client more platform-agnostic. They also already prepared unit tests.
Elias Hackrath, actually someone from the Drupal Community and the SysOps Guy behind CMS Garden, created a Docker-based tool chain for board members and release leads to perform signing and key rotation operations. The chain is based upon the existing TUF-Go-implementation, where the hackathon revealed multiple issues that have been reported to the upstream project.
Harald Leithner, Joomla’s Operation Department Coordinator, and David Jardin, the Joomla Security Team Lead, built an infrastructure and generated some test keys. Test packages have been signed and validated.
Franciska Perisa (release Lead of Joomla 4.2), Benjamin Trenkle (Joomla’s Production Department coordinator) and Timo Feuerstein (a member of the TYPO 3 Community) prepared Joomla, including the database, so the metadata can be stored and checked and the update can be safely installed. Fully interacting with Magnus Singer, who was our master of validation - he prepared the integration of the validation process into Joomla updates.
The project was far away from easy
The team found many barriers implementing TUF into Joomla and found themselves deeper and deeper down the rabbit hole – but mastered these challenges with bravery and finished a proof of concept at the end of day 2.
As a hackathon result we created a POC implementation for Joomla core to retrieve update information from the new TUF-based repo and verify the signatures during the update. Also the team arranged already a date for a sprint to finalize the project.
Joomla had been elected as the overall winner above other projects
I had the honor to present the team results to the other teams and the Jury. When I mentioned that our results will be not only beneficial for Joomla but will be open and shared to any open source cms I got “wow” and applause for the team and because of the huge success, progress and overall achievements at the hackathon, we won the hackathon as best team.
Additional Award for Social Media Engagement
During the hackathon I made some tweets and social media buzz and the amazing Joomla community did not let my notifications idle. Joomla has such a great community base helping, sharing and retweeting that it was least my work to get the social engagement win, but of course the achievement of the Joomla community. Thank you all for that!