how is software made
play

How is software made? 2 A stylized software supply chain test - PowerPoint PPT Presentation

Jun 13, 2023 •213 likes •495 views

in-toto -- Securing the whole software supply chain Santiago Torres-Arias, Hammad Afzali, Lukas Phringer , Reza Curtmola, Justin Cappos How is software made? 2 A stylized software supply chain test code build package 3 Attackers can

  1. in-toto -- Securing the whole software supply chain Santiago Torres-Arias, Hammad Afzali, Lukas Pühringer , Reza Curtmola, Justin Cappos

  2. How is software made? 2

  3. A stylized software supply chain test code build package 3

  4. Attackers can hack the software supply chain test code build package 4

  5. Attackers do hack the software supply chain 5

  6. Attackers do hack the software supply chain 6

  7. Attackers do hack the software supply chain 7

  8. Attackers do hack the software supply chain 8

  9. Attackers do hack the software supply chain 9

  10. How can we fix this? 10

  11. Many good point solutions test code build package 11

  12. Many good point solutions test → git signing, reference state log [Torres USENIX Sec 16] , ... code build package 12

  13. Many good point solutions test → git signing, reference state log [Torres USENIX Sec 16] , ... code build package → TPMs, HSMs, reproducible builds, ... 13

  14. Many good point solutions test → git signing, reference state log [Torres USENIX Sec 16] , ... → TLS, GPG, TUF code build package → TPMs, HSMs, reproducible builds, ... 14

  15. Fixed? 15

  16. Gaps between steps? Compliance? test code build package 16

  17. We want to secure the complete Software Supply Chain! → Verifiably define the steps of the software supply chain → Verifiably define the authorized actors → Guarantee that everything happens according to definition, and nothing else 17

  18. in-toto -- Project Definition -- Steps { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } }, "signatures": [...], "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } 18

  19. in-toto -- Project Definition -- Functionaries Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 19

  20. in-toto -- Project Definition -- Materials/Products Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 20

  21. in-toto -- Project Definition -- Rules Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 21

  22. in-toto -- Project Definition -- Signed Alice Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 22

  23. in-toto -- Signed Evidence for each Step $ in-toto-run -- ./do-the-supply-chain-step { { { { "_type": "Link", "_type": "Link", "_type": "Link", "_type": "Link", "name": "code", "name": "build", "name": "build", "name": "build", "byproducts": "byproducts": "byproducts": "byproducts": {"stderr": "", "stdout": {"stderr": "", "stdout": {"stderr": "", "stdout": {"stderr": "", "stdout": ""}, ""}, ""}, ""}, "command": [...], "command": [...], "command": [...], "command": [...], "materials": {}, "materials": {...}, "materials": {}, "materials": {}, "products": { "products": { "products": { "products": { "foo": {"sha256": "foo": {"sha256": "foo": {"sha256": "in-toto/.git/HEAD": "..."}}, "..."}}, "..."}}, {"sha256": "..."}}, "return_value": 0, "return_value": 0, "return_value": 0, "return_value": 0, "signatures": [...] "signatures": [...] "signatures": [...] "signatures": [...] } } } } 23

  24. DEMO: Grep -- Debian’ized & in-toto’ized fetch extract modify build (dget) (dpkg-source) ( interactive ) (dpkg-buildpackage) 24

  25. DEMO: Grep -- Debian’ized & in-toto’ized $ in-toto-run <opts> -- dget http://cdn.debian.net/debian/pool/main/g/grep/grep_2.12-2.dsc $ in-toto-run <opts> -- dpkg-source -x grep_2.12-2.dsc $ cd grep-2.12 $ in-toto-record start <opts> $ dch -i $ vi debian/rules $ in-toto-record stop <opts> $ in-toto-run <opts> -- dpkg-buildpackage -us -uc $ in-toto-verify --layout-keys <key> --layout grep_2.12-2.layout → goo.gl/hgPMHA (demo screencast + demo metadata) 25

  26. DEMO: Grep -- Debian’ized & in-toto’ized fetch extract modify build (dget) (dpkg-source) ( interactive ) (dpkg-buildpackage) 26

  27. Layout wizard (sneak preview) 27

  28. Thank You! Questions? https://in-toto.io/ jcappos@nyu.edu 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made in Germany for the Future Economy Alexandra Weissgerber Software AG MultilingualWeb Workshop 2011, 05 April 2011 Project Context 5 Projects

338 views • 12 slides
MADe SOFTWARE HUMS Avalon 2009 Background PHM Technology is an Australian company focused

MADe SOFTWARE HUMS Avalon 2009 Background PHM Technology is an Australian company focused

INTRODUCTION TO MADe SOFTWARE HUMS Avalon 2009 Background PHM Technology is an Australian company focused on advanced engineering applications. The Maintenance Aware Design environment (MADe) is a software tool that

332 views • 11 slides
Refactoring Noun: A change made to the internal structure of Refactoring software to make

Refactoring Noun: A change made to the internal structure of Refactoring software to make

Refactoring Noun: A change made to the internal structure of Refactoring software to make it easier to understand and cheaper to modify without changing its observable behaviour Verb: To restructure software by applying a series

204 views • 4 slides
Tailor-S: Look What You Made Me Do! Vadim Semenov Software Engineer @ Datadog

Tailor-S: Look What You Made Me Do! Vadim Semenov Software Engineer @ Datadog

Tailor-S: Look What You Made Me Do! Vadim Semenov Software Engineer @ Datadog vadim@datadoghq.com 1 2 3 4 5 Table of contents 1. The original system and issues with it 2. Requirements for the new system 3. Decoupling of state and

2.14k views • 148 slides
Software Engineering CSE435

Software Engineering CSE435

Name: Project: Deliverable: SRS, Rev3 (changes made to address customers feedback); Prototype, v3 (incorporate feedback from customer); presentation; video (EC) Date: 12/15/16 Software Engineering CSE435

65 views • 3 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 8 January 2019 OSU CSE 1 Restated Learning Outcomes Theme 1: software engineering concepts Be familiar with sound software engineering

535 views • 17 slides
humane assessment is a novel method for software engineering decision making. it is relevant

humane assessment is a novel method for software engineering decision making. it is relevant

humane assessment is a novel method for software engineering decision making. it is relevant for any software development project written in any programming language. it is made practical by the Moose analysis platform.

212 views • 3 slides
Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An introduction to creating electronic presentations using Microsoft PowerPoint 2010 ABT COLLABORATIVE BCCAMPUS Except for third party materials and

1.7k views • 94 slides
Welcome HILT is made possible by HILT is made possible by HILT is made possible by University

Welcome HILT is made possible by HILT is made possible by HILT is made possible by University

Welcome HILT is made possible by HILT is made possible by HILT is made possible by University Library Logistics Coffee Break Ashby Reading Room 2nd floor inside Philanthropy Library University Library Meals Tower Dining University

850 views • 27 slides
AKVIS PHOTO PROCESSING SOFTWARE AKVIS PHOTO PROCESSING SOFTWARE AKVIS AirBrush automatically

AKVIS PHOTO PROCESSING SOFTWARE AKVIS PHOTO PROCESSING SOFTWARE AKVIS AirBrush automatically

AKVIS PHOTO PROCESSING SOFTWARE AKVIS PHOTO PROCESSING SOFTWARE AKVIS AirBrush automatically transforms a photograph into a work of art which looks like made with a special airbrush tool that sprays paints or inks AKVIS ArtSuite is an

132 views • 9 slides
Fault tolerance made easy A head-start to resilient software design Uwe Friedrichsen (codecentric

Fault tolerance made easy A head-start to resilient software design Uwe Friedrichsen (codecentric

Fault tolerance made easy A head-start to resilient software design Uwe Friedrichsen (codecentric AG) QCon London 5. March 2014 @ufried Uwe Friedrichsen | uwe.friedrichsen@codecentric.de | http://slideshare.net/ufried |

705 views • 53 slides
Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview

Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview

Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview Microservices refresher Microservices and versioning What are Monorepos and why use them? These two concepts seem to contradict why

1.08k views • 23 slides
paranormal interactivity led mec heht gewyrcan led ordered me to be made Hello

paranormal interactivity led mec heht gewyrcan led ordered me to be made Hello

paranormal interactivity led mec heht gewyrcan led ordered me to be made Hello Jeremy I'm Little MOO - the bit of software that will be managing your order with us. It will shortly be sent to Big MOO, our print machine who will

1.21k views • 72 slides
ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan, create, manage, analyze and report agricultural experiments 2 ARM Software Overview Why use ARM Software? ARM provides: Resulting benefits

542 views • 9 slides
For whom is it made? It is made for foreigners immigrants in Italy, especially for newly arrived

For whom is it made? It is made for foreigners immigrants in Italy, especially for newly arrived

Created by Edizioni La Linea for the Metropolitan CPIA of Bologna as part of the FAMI 2014-2020 project Futuro in corso You can download for free from Google Play . For whom is it made? It is made for foreigners immigrants in Italy,

445 views • 27 slides
KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we create new software development solutions for projects with sizable data requirements. Having a background in mining industry, KAI Software have

267 views • 26 slides
Hebrews 10:23 Let us hold fast the confession of our hope without wavering, for he who promised

Hebrews 10:23 Let us hold fast the confession of our hope without wavering, for he who promised

Hebrews 10:23 Let us hold fast the confession of our hope without wavering, for he who promised is faithful. (ESV) Let us hold unswervingly to the hope we profess, for he who promised is faithful. (NIV) Hebrews 10:35-36 Therefore

641 views • 22 slides
Quantum Leaks in Space0me R.B. Mann Rela0vis0c Quantum

Quantum Leaks in Space0me R.B. Mann Rela0vis0c Quantum

Quantum Leaks in Space0me R.B. Mann Rela0vis0c Quantum Informa0on Informa0on RQI Quantum Rela0vity

714 views • 49 slides
Generalized Buckley-Leverett system Wladimir Neves UFRJUniversidade Federal do Rio de Janeiro

Generalized Buckley-Leverett system Wladimir Neves UFRJUniversidade Federal do Rio de Janeiro

Introduction Non-linear porous-media theory Muskat problem Remarks on Muskat problem Generalized Buckley-Leverett system Statement of the Buckley-Leverett problem Existence of generalized solution Generalized Buckley-Leverett system Wladimir

613 views • 42 slides
Rethinking Electrons and the Electric Phenomenon. Anton Vrba Anton Vrba c Presentation to

Rethinking Electrons and the Electric Phenomenon. Anton Vrba Anton Vrba c Presentation to

Ein Gedankenexperiment 1 History 7 Proposition 17 Rethinking Electrons and the Electric Phenomenon. Anton Vrba Anton Vrba c Presentation to Vigier 10 July, 2016 Rethinking Electrons and the Electric Phenomenon. 0/30 Ein

337 views • 31 slides
CENG3420 Lecture 01: Introduction Bei Yu byu@cse.cuhk.edu.hk (Latest update: January 10, 2018)

CENG3420 Lecture 01: Introduction Bei Yu byu@cse.cuhk.edu.hk (Latest update: January 10, 2018)

CENG3420 Lecture 01: Introduction Bei Yu byu@cse.cuhk.edu.hk (Latest update: January 10, 2018) Fall 2017 1 / 50 Overview Course Information Background Organization First Glance Summary 2 / 50 Overview Course Information Background

639 views • 60 slides
Machine Translation and Sequence-to-sequence Models http://phontron.com/class/mtandseq2seq2018/

Machine Translation and Sequence-to-sequence Models http://phontron.com/class/mtandseq2seq2018/

Machine Translation and Sequence-to-sequence Models Machine Translation and Sequence-to-sequence Models http://phontron.com/class/mtandseq2seq2018/ Graham Neubig Carnegie Mellon University CS 11-731 1 Machine Translation and

653 views • 44 slides
Liberty Leading the Vegetables (Delacroix) The Anatomy Lesson of Dr. Pickled Cabbage (Rembrandt)

Liberty Leading the Vegetables (Delacroix) The Anatomy Lesson of Dr. Pickled Cabbage (Rembrandt)

Liberty Leading the Vegetables (Delacroix) The Anatomy Lesson of Dr. Pickled Cabbage (Rembrandt) The Raft of the Lotus Roots (Gericault) The Death of the Cabbage Head (David) The Birth of the Radish (Botticelli) The Sleeping Taroman

323 views • 21 slides
Eclipse MicroProfile Starter CONFIDENTIAL Designator with Quarkus OpenAlt 2019 Michal Karm

Eclipse MicroProfile Starter CONFIDENTIAL Designator with Quarkus OpenAlt 2019 Michal Karm

Eclipse MicroProfile Starter CONFIDENTIAL Designator with Quarkus OpenAlt 2019 Michal Karm Babacek Martin tefanko @_karm @xstefank Principal Quality Engineer, Red Hat Software Engineer, Red Hat C/Java/Go programmer focused on Apache HTTP

327 views • 31 slides

More recommend