SLIDE 1
in-toto -- Securing the whole software supply chain
Santiago Torres-Arias, Hammad Afzali, Lukas Pühringer, Reza Curtmola, Justin Cappos
How is software made?
2
How is software made? 2 A stylized software supply chain test - - PowerPoint PPT Presentation
How is software made? 2 A stylized software supply chain test - - PowerPoint PPT Presentation
in-toto -- Securing the whole software supply chain Santiago Torres-Arias, Hammad Afzali, Lukas Phringer , Reza Curtmola, Justin Cappos How is software made? 2 A stylized software supply chain test code build package 3 Attackers can
SLIDE 2
SLIDE 3
A stylized software supply chain
3
code build test package
SLIDE 4
Attackers can hack the software supply chain
4
code build test package
SLIDE 5
Attackers do hack the software supply chain
5
SLIDE 6
Attackers do hack the software supply chain
6
SLIDE 7
Attackers do hack the software supply chain
7
SLIDE 8
Attackers do hack the software supply chain
8
SLIDE 9
Attackers do hack the software supply chain
9
SLIDE 10
How can we fix this?
10
SLIDE 11
Many good point solutions
11
code build test package
SLIDE 12
Many good point solutions
12
code build test package
→ git signing, reference state log [Torres USENIX Sec 16], ...
SLIDE 13
Many good point solutions
13
code build test package
→ TPMs, HSMs, reproducible builds, ... → git signing, reference state log [Torres USENIX Sec 16], ...
SLIDE 14
Many good point solutions
14
code build test package
→ TPMs, HSMs, reproducible builds, ... → TLS, GPG, TUF → git signing, reference state log [Torres USENIX Sec 16], ...
SLIDE 15
Fixed?
15
SLIDE 16
Gaps between steps? Compliance?
16
code build test package
SLIDE 17
We want to secure the complete Software Supply Chain!
17
→ Verifiably define the steps of the software supply chain → Verifiably define the authorized actors → Guarantee that everything happens according to definition, and nothing else
SLIDE 18
in-toto -- Project Definition -- Steps
{ "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } }, "signatures": [...], "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] }
18
SLIDE 19
in-toto -- Project Definition -- Functionaries
{ "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } }, "signatures": [...], "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] }
19
Bob Carol Dave Erin
SLIDE 20
in-toto -- Project Definition -- Materials/Products
{ "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } }, "signatures": [...], "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] }
20
Bob Carol Dave Erin
SLIDE 21
in-toto -- Project Definition -- Rules
{ "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } }, "signatures": [...], "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] }
21
Bob Carol Dave Erin
SLIDE 22
in-toto -- Project Definition -- Signed
{ "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } }, "signatures": [...], "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] }
22
Bob Carol Dave Erin Alice
SLIDE 23
in-toto -- Signed Evidence for each Step
{ "_type": "Link", "name": "code", "byproducts": {"stderr": "", "stdout": ""}, "command": [...], "materials": {}, "products": { "foo": {"sha256": "..."}}, "return_value": 0, "signatures": [...] } { "_type": "Link", "name": "build", "byproducts": {"stderr": "", "stdout": ""}, "command": [...], "materials": {...}, "products": { "foo": {"sha256": "..."}}, "return_value": 0, "signatures": [...] } { "_type": "Link", "name": "build", "byproducts": {"stderr": "", "stdout": ""}, "command": [...], "materials": {}, "products": { "foo": {"sha256": "..."}}, "return_value": 0, "signatures": [...] } { "_type": "Link", "name": "build", "byproducts": {"stderr": "", "stdout": ""}, "command": [...], "materials": {}, "products": { "in-toto/.git/HEAD": {"sha256": "..."}}, "return_value": 0, "signatures": [...] }
23 $ in-toto-run -- ./do-the-supply-chain-step
SLIDE 24
DEMO: Grep -- Debian’ized & in-toto’ized
24
fetch
(dget)
extract
(dpkg-source)
modify
(interactive)
build
(dpkg-buildpackage)
SLIDE 25
DEMO: Grep -- Debian’ized & in-toto’ized
25 $ in-toto-run <opts> -- dget http://cdn.debian.net/debian/pool/main/g/grep/grep_2.12-2.dsc $ in-toto-run <opts> -- dpkg-source -x grep_2.12-2.dsc $ cd grep-2.12 $ in-toto-record start <opts> $ dch -i $ vi debian/rules $ in-toto-record stop <opts> $ in-toto-run <opts> -- dpkg-buildpackage -us -uc $ in-toto-verify --layout-keys <key> --layout grep_2.12-2.layout
→ goo.gl/hgPMHA (demo screencast + demo metadata)
SLIDE 26
DEMO: Grep -- Debian’ized & in-toto’ized
26
fetch
(dget)
extract
(dpkg-source)
modify
(interactive)
build
(dpkg-buildpackage)
SLIDE 27
Layout wizard (sneak preview)
27
SLIDE 28
28
Thank You! Questions?
https://in-toto.io/ jcappos@nyu.edu