SaTC: TTP: Medium: Collaborative: Securing the Software Supply Chain

SaTC：TTP：媒介：协作：保护软件供应链

• 批准号: 1801376
• 负责人: Justin Cappos
• 金额: $ 76.6万
• 依托单位: New York University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-07-01 至 2022-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1801376&HistoricalAwards=false
• 关键词: SaTC; TTP; Medium; Collaborative; Securing

Making modern software involves tools such as a source code management system, a verify/build/package system, and a repository for distributing software and updates. The security of this software chain is dramatically overlooked today, as many recent incidents demonstrate. Existing defenses provide piecemeal solutions to individual problems and, when combined, do not provide end-to-end guarantees. This project seeks to transition into widespread practical use a system called "in-toto", which provides insights and end-to-end guarantees about the software supply chain. in-toto protects software from the moment it is written by a developer and ensures that the chain of trust can be followed all the way to the software that gets installed on user devices. In-toto generates cryptographically signed metadata for each step in the chain, and links together and carries these metadata throughout the entire chain. The salient positive impact comes from making the software development process transparent and publicly verifiable. in-toto provides a natural way to make the code review and testing practices publicly visible, thus incentivizing developers to follow safe software practices. Through ongoing and future collaborations, in-toto is being integrated into several large software projects that will positively impact millions of computers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

制造现代软件涉及诸如源代码管理系统，验证/构建/软件包系统以及用于分发软件和更新的存储库之类的工具。正如许多最近的事件所表明的那样，如今，该软件链的安全性被极大地忽略了。现有的防御能力为个人问题提供了零碎的解决方案，并且在合并后不提供端到端的保证。 该项目旨在过渡到广泛的实际使用，一种称为“抢断”的系统，该系统提供了有关软件供应链的见解和端到端保证。从开发人员撰写的那一刻，可以保护软件，并确保可以一直遵循信任链，一直到安装在用户设备上的软件。 In-Toto为链中的每个步骤生成密码签名的元数据，并将这些元数据链接在一起，并在整个链条中携带这些元数据。显着的积极影响来自使软件开发过程透明且可公开验证。 In-Toto提供了一种自然的方式来公开可见代码审查和测试实践，从而激励开发人员遵循安全的软件实践。 通过正在进行的和将来的合作，In-Toto被整合到几个大型软件项目中，这些项目将对数百万计算机产生积极影响。该奖项反映了NSF的法定任务，并认为使用基金会的知识分子优点和更广泛的影响审查标准，被认为值得通过评估。

项目成果

in-toto: Providing farm-to-table guarantees for bits and bytes

in-toto：为比特和字节提供从农场到餐桌的保证

• DOI: 10.5555/3361338.3361435
• 发表时间: 2019
• 期刊: Proc. of the 28th USENIX Security Symposium
• 作者: Torres-Arias, Santiago;Afzali, Hammad;Kuppusamy, Trishank Karthik;Curtmola, Reza;Cappos, Justin
• 通讯作者: Cappos, Justin

le-git-imate: Towards Verifiable Web-based Git Repositories

le-git-imate：迈向可验证的基于 Web 的 Git 存储库

• DOI: 10.1145/3196494.3196523
• 发表时间: 2018
• 期刊: Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS '18
• 作者: Afzali, Hammad;Torres-Arias, Santiago;Curtmola, Reza;Cappos, Justin
• 通讯作者: Cappos, Justin

Towards adding verifiability to web-based Git repositories

为基于 Web 的 Git 存储库添加可验证性

• DOI: 10.3233/jcs-191371
• 发表时间: 2020
• 期刊: Journal of Computer Security
• 影响因子: 1.2
• 作者: Afzali, Hammad;Torres-Arias, Santiago;Curtmola, Reza;Cappos, Justin
• 通讯作者: Cappos, Justin

Commit Signatures for Centralized Version Control Systems (Extended Abstract)

集中版本控制系统的提交签名（扩展摘要）

• DOI: 10.1007/978-3-030-22312-0_25
• 发表时间: 2019
• 期刊: Proceedings of the IFIP 34th International Conference on ICT Systems Security and Privacy Protection (SEC ’19
• 作者: Vaidya, Sangat;Torres-Arias, Santiago;Curtmola, Reza;Cappos, Justin
• 通讯作者: Cappos, Justin