On March 18, the Uptane project announced the release of Uptane Standard for Design and Implementation V.2.0.0 . This new edition of the Standard reflects the secure software update project’s evolution towards greater adaptability in meeting the emerging threats of sophisticated cyber attackers.
In V.2.0.0 of its Standard, the Uptane project mandates a few key added actions. These include improving the process for verifying the authenticity of an image before downloading, while allowing more flexibility in implementations than in previous releases. An example of this change was the decision to remove references to the original Uptane-specific time server. Under the new Standard, implementers can make their own decisions about secure sources of reliable time.
In terms of language changes, the Uptane Standard now rigorously restricts the use of conformance imperatives — words such as SHALL or MUST that have specific meaning when used in standards — to the cases where they are actually required for interoperation or limiting behavior with the potential for causing harm. Uptane V2.0.0 also clarifies the functional properties of cryptographic keys, so that signing keys (which must be unique) are not confused with encryption keys (which can be shared-use keys). Uptane V2.0.0 also clarifies that all primary ECUs always perform full verification on downloaded software update packages.
Uptane Standard for Design and Implementation is available for download in HTML and PDF formats through the Uptane website at https://uptane.github.io/. A companion volume, Uptane Deployment Best Practices, will be available on the website in the next few weeks.
Uptane was developed by a team of engineers that included Dr. Justin Cappos, associate professor of computer science and engineering at NYU Tandon School of Engineering and director of its Secure Systems Lab. Dr. Cappos remains an active contributor to the project, serving as a member of the project’s steering committee. The lab also continues to contribute to the project’s development through the work of Ph.D. candidate Marina Moore, and alumni like Dr. Trishank Karthik Kuppusamy, now engineering manager at Datadog.