07/66: ccs-2021: Discuss in-toto in "Related Work".

[Ludovic Courtès]

civodul pushed a commit to branch master
in repository maintenance.

commit c8ab0dc52ac16c80d46be0bdb770639f3ee4b48d
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon May 3 10:40:54 2021 +0200

    ccs-2021: Discuss in-toto in "Related Work".
---
 doc/ccs-2021/supply-chain.skb | 62 ++++++++++++++++++++++++++-----------------
 1 file changed, 37 insertions(+), 25 deletions(-)

diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index c9e11e1..997fce5 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -218,7 +218,7 @@ software packages.  GNU Guix,(footnote (url 
"https://guix.gnu.org";)) is
 primarily a ,(emph [functional]) package manager that builds upon the
 ideas developed for Nix by Dolstra ,(it [et al.]) ,(ref :bib
 '(dolstra2004:nix courtes2013:functional)).  The term “functional” means
-that software build processes are considered as pure functions: given a
+that software build processes are considered as ,(emph [pure functions]): 
given a
 set of inputs (compiler, libraries, build scripts, and so on), a
 package’s build function is assumed to always produce the same result.
 Build results are stored in an immutable persistent data structure, the
@@ -229,7 +229,9 @@ For example, ,(tt [/gnu/store/yr9rk90jf…-gcc-10.3.0]) 
identifies a
 specific build of GCC 10.3.  A variant of GCC 10.3, for instance one
 using different build options or different dependencies, would get a
 different hash.  Thus, each store file name uniquely identifies build
-results, and build processes are ,(emph [referentially transparent]).])
+results.  This model is the foundation of ,(emph [end-to-end provenance
+tracking]): Guix records and uniquely identifies the inputs leading to
+build results available in ,(tt [/gnu/store]).])
       (p [Guix, like Nix and unlike Debian or Fedora, is essentially a
 ,(emph [source-based distribution]): Guix package definitions describe
 how to build packages from source.  When running a command such as ,(tt
@@ -721,7 +723,7 @@ OpenPGP signatures, as recommended ,(ref :bib 
'leurent2020:shambles).]))
         (p [The core idea, the authorization invariant, is simple to
 understand and its implementation can be relatively simple, too—a good
 property for security-sensitive code.  However, with more than a
-thousand commit pushed to Guix every month, users may often find
+thousand commits pushed to Guix every month, users may often find
 themselves authenticating hundreds of commits when running ,(tt [guix
 pull]).  The implementation must be able to perform well.])
       
@@ -847,14 +849,10 @@ precondition, as explained above.])))
       
       (p [A lot of work has gone into securing the software supply
 chain, often in the context of binary distributions, sometimes in a more
-general context; more recent work also looks into Git authentication and
+general context; recent work also looks into Git authentication and
 related issues.  This section attempts to summarize how Guix relates to
-similar work that we are aware of in these two areas.  More detailed
-discussions can be found in the issue tracker,(footnote
-[https://issues.guix.gnu.org/22883]).])
+similar work that we are aware of in these two areas.])
       
-      ;; TODO: read issue tracker, read above
-
       (p [The Update Framework ,(ref :bib 'samuel2010:survivable) (TUF)
 is a reference for secure update systems, with a well-structured
 specification ,(ref :bib 'cappos2020:tuf-spec) and a number of
@@ -886,20 +884,36 @@ containing “build recipe”.  To date, it appears that ,(tt 
[opam update])
 itself does not authenticate repositories though; it is up to users and
 developers to run Conex.])
       
-      ;; TODO: in-toto
-
-      (p [Another interesting approach is to focus on the impact of
-malicious modifications to Git repository meta-data ,(ref :bib
-"torresarias2016:omitting").  An attacker with access to the repository
-can modify, for instance, branch references, to cause a rollback attack
-or a “teleport” attack, causing users to pull an older commit or an
-unrelated commit.  As written above, ,(tt [guix pull]) would detect such
-attacks.  However, ,(tt [guix pull]) would fail to detect cases where
-metadata modification does not yield a rollback or teleport, yet gives
-users a different view than the intended one—for instance, a user is
-directed to an authentic but different branch rather than the intended
-one.  The “secure push” operation and the associated ,(emph [reference
-state log]) (RSL) the authors propose would be an improvement.]))
+      (p [The in-toto framework can be thought of as a generalization of
+TUF; it aims at ensuring the integrity of complete software supply
+chains, taking into accounts the different steps that comprise software
+supply chains in widespread use such as Debian’s ,(ref :bib
+'torresarias2019:intoto).  In particular, it focuses on ,(emph [artifact
+flow integrity])—that artifacts created by a step cannot be altered
+before the next step.])
+
+      (p [Thanks the functional deployment model, Guix has end-to-end
+control over artifact flow, from source code to binaries delivered to
+users.  Complete provenance tracking gives anyone the ability to ,(emph
+[verify]) the source-to-binary tracking, or to simply not use the
+project’s official binaries, as discussed in ,(numref :text [Section]
+:ident "background").  Conversely, in-toto’s approach to artifact flow
+integrity assumes a relative disconnect between steps that makes
+verification hard in the first place.  In a sense, in-toto addresses
+non-verifiability through attestation.])
+
+      (p [Earlier work focuses on the impact of malicious modifications
+to Git repository meta-data ,(ref :bib "torresarias2016:omitting").  An
+attacker with access to the repository can modify, for instance, branch
+references, to cause a rollback attack or a “teleport” attack, causing
+users to pull an older commit or an unrelated commit.  As written above,
+,(tt [guix pull]) would detect such attacks.  However, ,(tt [guix pull])
+would fail to detect cases where metadata modification does not yield a
+rollback or teleport, yet gives users a different view than the intended
+one—for instance, a user is directed to an authentic but different
+branch rather than the intended one.  The “secure push” operation and
+the associated ,(emph [reference state log]) (RSL) the authors propose
+would be an improvement.]))
 
    (chapter :title [Conclusion and outlook]
       :ident "conclusion"
@@ -936,8 +950,6 @@ possibly allowing users to register those when they first 
pull from the
 channel.  All this requires more thought, but it looks like there are
 new opportunities here.]))
    
-   ;; in-toto: 
https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias
-   
    (!latex "\n\\newpage\n\\balance\n")
    (references))