End-to-end Supply Chain Integrity – Stian Kristoffersen

Описание: Software Supply Chain Security is an area in active development. A number of tools and standards have emerged in the last few years, including Sigstore, SLSA, in-toto, and TUF. In this talk we’ll focus on achieving integrity from source code being produced to a finished package being consumed.

We’ll introduce the existing concepts and tools and show how they can be used to secure a project we plan to open source. We’ll look at how they are being used to improve integrity in projects like NPM and Homebrew. We’ll then propose some new concepts and tools to fill in a few of the remaining gaps around source integrity and key distribution.

gitverify is a new tool to verify the integrity of Git repositories, including Git signatures. It doesn’t change how Git works or add state to the repository, but can restrict which of the normal flows are allowed, including which keys are accepted. It can help mitigate rogue/compromised forges as well as accidentally including changes from the wrong users in a PR.

gitrelease is a new tool to create an in-toto attestation, tag.link, when tagging a release. The attestation is crafted to add assurance on top of gitverify: including threshold signatures, ordering of releases, and mitigating a subset of rollback, deletion and teleportation attacks. Both gitrelease and gitverify make use of SHA-256 to strengthen Git repositories that use SHA-1. The tag.link attestation can be stored in both the repository and Sigstore.

We’ll wrap things up by proposing a way to do developer key distribution and establish a root of trust for a project. It uses a slightly modified TUF to delegate trust to gitverify and the other components of the release pipeline.

Stian Kristoffersen:
Stian is a Lead Security Engineer at Telenor where he works on Software Supply Chain Security. He has more than 10 years of experience as a security and software engineer. Previous BSides Oslo talks: “Unexpected Ways to Distribute Python Packages” (2023), “Practical Kubernetes Security at Scale” (2022), and “Dependency Confusion Deep Dive” (2021).

------

BSides Oslo is an independent, community-driven inclusive information security conference. As a part of the global Security BSides network, the conference creates a space for members of the international and local information security communities to come together and share their knowledge and experiences. BSides Oslo is intended for anyone who works with, studies or has an in interest in infosec.