in-toto: Securing the Entire Software Supply Chain - Santiago Torres, NYU

Introduction

Hello everyone, I am Santiago, a recently graduated Ph.D. student from NYU. Today, I want to discuss a way to secure the software supply chain, specifically focusing on a project called in-toto. As of now, it may be in the incubation stage under the Cloud Native Computing Foundation (CNCF), but its main goal remains clear: to protect everything happening at the left of your software delivery pipeline. This covers the version process, build farms, vulnerability scanners, and more—essentially everything before code is deployed to the cloud.

The Problem of Software Supply Chain Vulnerabilities

Software supply chain vulnerabilities are an emerging problem that has caught the industry off-guard, leading to significant damages. Understanding these threats is crucial, as they can severely impact organizations. As we progress through this discussion, I will outline the nature of these vulnerabilities, the dangers they pose, and how in-toto can help secure your platforms.

How Software is Typically Built

Before diving into the specifics, let's explore how software is typically created. Most often, we think of a software supply chain that resembles a simplified version often seen in GitHub generation. It generally follows this sequence:

1. Code is stored in a version control system.
2. The code is sent to a build farm.
3. A continuous integration (CI) service, like Travis CI, runs tests on the code for quality.
4. The code is then packaged for distribution to users.

Despite its simplicity, this example serves as a strong foundation to discuss security vulnerabilities throughout the software supply chain.

Common Attack Vectors

It's important to understand that software supply chains can be hacked in multiple areas:

• Version Control Systems: Attackers may compromise these systems to alter source code, inject backdoors, or introduce malicious code. Notable incidents include attacks on the security of dependencies in projects.

• Build Farms: Such areas are prime targets for attackers, as a compromised compiler can lead to every product compiled with it being unsafe. For instance, the infamous Ken Thompson attack highlights how new compilers can unintentionally introduce vulnerabilities.

• Packaging Infrastructure: Attackers could penetrate these channels to insert malicious updates or software. For example, the Debian OpenSSL vulnerability in the past compromised integrity and security.

• Compliance Issues: Even non-malicious actions can have significant repercussions if proper checks are not observed. A Windows update malfunction demonstrated how a compliance failure can bring down systems.

The takeaway from these examples is that the compromises present in a single point can have devastating implications for end-users, costing companies vast sums of money.

Addressing the Vulnerabilities

To address these vulnerabilities, a more holistic view must be taken. Security practices like Git signing, utilizing TPMs in compilers, and employing secure delivery mechanisms such as TLS encryption must all be in place. But securing individual points is not enough, as gaps between these points can lead to vulnerabilities, creating blind spots in security enforcement.

The Solution: in-toto

in-toto aims to provide a robust framework that ensures supply chain security through the following mechanisms:

1. Policy Definition: Define verifiable steps for the software supply chain.
2. Actor Attribution: Identify the individuals responsible for each step—the “actors” in the pipeline.
3. Connected Profiles: Ensure every step is interconnected, creating a seamless flow with no gaps in the security chain.

The project utilizes a layout that details how the supply chain should function, and link files document the actual operations within that supply chain. Each participant verifies their contributions, providing a cryptographic paper trail for validation.

Through integrations and collaboration with other communities, in-toto works to foster stronger software supply chain security. One notable partnership is with Tekton, which allows tracking of operational linkages.

Conclusion

In summary, securing the software supply chain is not only crucial but also an escalating challenge—the causes of which can lead to significant repercussions for organizations and users alike. in-toto offers a way to address these issues holistically, promoting a secure and robust software development environment. If you're interested in getting involved with this open-source initiative, please join us in our community, participate in discussions, and contribute.

Keywords

• Software supply chain
• Security vulnerabilities
• Version control
• Build farms
• Continuous integration
• Compliance
• in-toto
• Cryptographic paper trail
• Policy definition
• Actor attribution

FAQ

Q1: What is the purpose of in-toto?
A: in-toto aims to secure the software supply chain by defining and verifying each step from version control to delivery.

Q2: How does in-toto work?
A: It uses a layout to dictate how the supply chain should operate and collects evidence of each actor's contributions during the process.

Q3: What are some common vulnerabilities in the software supply chain?
A: Common vulnerabilities exist in version control systems, build farms, packaging infrastructures, and compliance measures.

Q4: Why is it important to secure the software supply chain?
A: Compromises in the supply chain can affect all users and lead to costly damages for organizations, making proactive security measures essential.

Q5: How can individuals get involved with in-toto?
A: Interested individuals can join the in-toto community, participate in discussions, and contribute to its development through various channels listed on the project's website.