Securing the Joomla updater - by making open source even better
If you are a loyal reader of the Joomla community magazine, you surely remember the project to secure the Joomla updating process by using “The Update Framework”. Even though it has been a little quiet on the project in the last couple of months, work has continued in the background - finally leading to another code sprint at the end of June 2023.
A Quick Recap
So, what is this project all about? At its core, we want to prevent so-called called supply-chain attacks. In such an attack, a malicious party would create a modified Joomla version that includes malware - and distribute that malicious code using the “normal” Joomla update process, i.e. by gaining access to the update service infrastructure of the project.
In computer science such attacks are a very common scenario - and there are established solutions to prevent them: by using cryptography, it’s possible to essentially put a digital “signature” next to a Joomla update file, proving that this update has been published by the official project and that the file has not been modified by a malicious vendor.
However, if you think about the problem for a minute or two, it quickly becomes apparent that a myriad of different attack scenarios have to be covered by such a cryptographic protection layer:
- Has the file been published by the project?
- Is the file unmodified?
- Is the offered update on the update server really the latest one, or has a malicious actor tricked me into believing so, preventing me from accessing the latest versions?
- What if the crypto key of a release lead is compromised?
It was clear pretty quickly that a self-created solution for all these scenarios was a bad idea and so we decided to implement “The Update Framework”, or just “TUF” for the Joomla updater. TUF is both an abstract concept and a reference implementation for a secure software update infrastructure.
An Open Source Story
In the past meetings and sprints we did a deep dive into the details of the TUF specification and started working on 3 different elements:
- The serverside setup for the actual update server: that part also includes an easy-to-use CLI tool that the project can use to managed signing keys and release new Joomla updates
- A generic PHP library that is able to read and parse a TUF update repository
- The actual implementation in the Joomla core
Especially for the serverside setup and the generic library it became pretty obvious that starting from scratch wouldn’t make sense, as some fantastic projects in the open source world already existed: go-tuf, a TUF implementation written in golang, is the heart of our CLI tool and php-tuf is used in the actual CMS to process the information stored on the update server.
During the previous sprints we had realized that both upstream projects either had bugs in parts that were crucial to us or lacked specific features. Therefore we decided to create bug reports and pull requests to improve these upstreams projects while also resolving our own issues in the implementation. Especially in php-tuf we asked for some rather big changes, where it was unclear for us if the maintainers would invest extra effort just to make their project more suitable for our usecases. However, it became obvious that our worries were unfounded: the maintainers were more than happy about our input and solved the issues, making this cooperation another great example of how open source is supposed to work.
The Current Sprint
After the majority of blocking issues in the upstream project had been fixed, we decided to do another sprint to finish the implementation in Joomla. The sprint took place in Nuremberg, Germany at the end of June. We updated the upstream dependencies, created a bunch of pull requests for newly discovered issues and most importantly cleaned up the reference implementation in the CMS to a state where a draft PR for internal review could be created. Once the final upstream issues have been resolved, we can create a PR in the public CMS repo. Stay tuned!
Last but not Least: Kudos
If you would have walked into the hotel bar at that sprint, you would have seen a group of people working tirelessly when everyone else was already enjoying a beautiful summer night. The sprint team once again showed outstanding commitment and therefore I would like to thank Harald, Benjamin, Timo, Elias, Niels, Stefan and Hannes for their contributions! You guys rock!