[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
04/66: ccs-2021: Tweak "related work", add proper references.
From: |
Ludovic Courtès |
Subject: |
04/66: ccs-2021: Tweak "related work", add proper references. |
Date: |
Wed, 29 Jun 2022 11:31:57 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 3f7acd45807f7e96978968503b983b50e9609d3f
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sat May 1 12:57:21 2021 +0200
ccs-2021: Tweak "related work", add proper references.
---
doc/ccs-2021/security.sbib | 32 ++++++++++++++++++
doc/ccs-2021/supply-chain.skb | 78 ++++++++++++++++++++++---------------------
2 files changed, 72 insertions(+), 38 deletions(-)
diff --git a/doc/ccs-2021/security.sbib b/doc/ccs-2021/security.sbib
index 5cfbb3f..d32c5bc 100644
--- a/doc/ccs-2021/security.sbib
+++ b/doc/ccs-2021/security.sbib
@@ -7,6 +7,38 @@
(doi "10.1109/MS.2021.3073045")
(journal "IEEE Software"))
+(inproceedings samuel2010:survivable
+ (author "Justin Samuel and Nick Mathewson and Justin Cappos and Roger
Dingledine")
+ (title "Survivable Key Compromise in Software Update Systems") ;TUF
+ (year "2010")
+ (isbn "9781450302456")
+ (publisher "Association for Computing Machinery")
+ (address "New York, NY, USA")
+ (url "https://doi.org/10.1145/1866307.1866315")
+ (doi "10.1145/1866307.1866315")
+ (booktitle "Proceedings of the 17th ACM Conference on Computer and
Communications Security")
+ (pages "61–72")
+ (numpages "12")
+ (keywords "authentication, revocation, software updates, key management,
delegation, threshold signatures, key compromise")
+ (location "Chicago, Illinois, USA")
+ (series "CCS '10"))
+
+(misc cappos2020:tuf-spec
+ (author "Justin Cappos, Trishank Karthik Kuppusamy, Joshua Lock, Marina
Moore, Lukas Pühringer")
+ (title "The Update Framework Specification")
+ (year "2020")
+ (month "December")
+ (url "https://github.com/theupdateframework/specification/"))
+
+(inproceedings mehnert2016:conex
+ (author "Hannes Mehnert and Louis Gesbert")
+ (title "Conex — establishing trust into data repositories")
+ (booktitle "Proceedings of the ACM OCaml 2016 Workshop")
+ (conf "OCaml 2016")
+ (year "2016")
+ (month "September")
+ (url "https://github.com/hannesm/conex-paper/raw/master/paper.pdf"))
+
(inproceedings torresarias2016:omitting
(author "Santiago Torres-Arias and Anil Kumar Ammula and Reza Curtmola and
Justin Cappos")
(title "On Omitting Commits and Committing Omissions: Preventing Git Metadata
Tampering That (Re)introduces Software Vulnerabilities")
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index a4f2fa7..c44a67e 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -847,46 +847,48 @@ rejects SHA-1 OpenPGP signatures, as recommended.]))
(chapter :title [Related Work]
:ident "related"
- (p [A lot of work has gone into securing the software supply chain,
often in
-the context of binary distros, sometimes in a more general context; more
-recent work also looks into Git authentication and related issues.
-This section attempts to summarize how Guix relates to similar work that
-we are aware of in these two areas. More detailed discussions can be
-found in the issue tracker,(footnote [https://issues.guix.gnu.org/22883]).])
-
- (p [The Update Framework,(footnote
-[https://theupdateframework.io/]) (TUF) is a reference for secure update
-systems, with a well-structured spec,(footnote
-[https://github.com/theupdateframework/specification/blob/master/tuf-spec.md#the-update-framework-specification])
-and a number of implementations. TUF is a great source of inspiration
-to think about this problem space. Many of its goals are shared by
-Guix. Not all the attacks it aims to protect against (Section 1.5.2 of
-the spec) are addressed by what’s presented in this post: ,(tt [indefinite
-freeze attacks]), where updates never become available, are not addressed
-,(emph [per se]) (though easily observable), and ,(emph [slow retrieval
attacks]) aren’t
-addressed either. The notion of ,(emph [role]) is also something currently
-missing from the Guix authentication model, where any authorized
-committer can touch any files, though the model and
+ (p [A lot of work has gone into securing the software supply
+chain, often in the context of binary distributions, sometimes in a more
+general context; more recent work also looks into Git authentication and
+related issues. This section attempts to summarize how Guix relates to
+similar work that we are aware of in these two areas. More detailed
+discussions can be found in the issue tracker,(footnote
+[https://issues.guix.gnu.org/22883]).])
+
+ ;; TODO: read issue tracker, read above
+
+ (p [The Update Framework ,(ref :bib 'samuel2010:survivable) (TUF)
+is a reference for secure update systems, with a well-structured
+specification ,(ref :bib 'cappos2020:tuf-spec) and a number of
+implementations. Many of its goals are shared by Guix. Not all the
+attacks it aims to protect against (Section 1.5.2 of the spec) are
+addressed by what’s presented in this post: ,(it [indefinite freeze
+attacks]), where updates never become available, are not addressed
+,(emph [per se]) (though easily observable), and ,(emph [slow retrieval
+attacks]) are not addressed either. The notion of ,(emph [role]) is
+also something currently missing from the Guix authentication model,
+where any authorized committer can touch any files, though the model and
,(tt [.guix-authorizations]) format leave room for such an extension.])
(p [However, both in its goals and system descriptions, TUF is
biased towards systems that distribute binaries as plain files with
-associated meta-data. That creates a fundamental impedance mismatch.
-As an example, attacks such as ,(emph [fast-forward attacks]) or ,(emph
-[mix-and-match attacks]) don’t apply in the context of Guix; likewise,
-the ,(emph [repository]) depicted in Section 3 of the spec has little in
-common with a Git repository.])
-
- (p [Developers of OPAM, the OCaml package manager, adapted TUF for
-use with their Git-based package repository,(footnote
-[http://opam.ocaml.org/blog/Signing-the-opam-repository/]), later
-updated to write Conex,(footnote [https://github.com/hannesm/conex]), a
-separate tool to authenticate OPAM repositories. OPAM is interesting
-because like Guix it’s a source distro and its package
-repository,(footnote [https://github.com/ocaml/opam-repository]) is a
-Git repository containing “build recipe”. To date, it appears that
-,(tt [opam update]) itself does not authenticate repositories though; it’s up
-to users or developer to run Conex.])
+associated meta-data. That creates a fundamental impedance mismatch
+with the functional deployment model we described in ,(numref :text
+[Section] :ident "background"). As an example, attacks such as ,(emph
+[fast-forward attacks]) or ,(emph [mix-and-match attacks]) do not apply
+in the context of Guix; likewise, the ,(emph [repository]) depicted in
+Section 3 of the spec has little in common with a Git repository.])
+
+ (p [Developers of OPAM, the package manager for the OCaml
+language, adapted TUF for use with their Git-based package repository,
+later updated to write Conex ,(ref :bib 'mehnert2016:conex), a separate
+tool to authenticate OPAM repositories. OPAM like Guix is a
+source-based distribution and its package repository is a Git repository
+containing “build recipe”. To date, it appears that ,(tt [opam update])
+itself does not authenticate repositories though; it is up to users and
+developers to run Conex.])
+
+ ;; TODO: in-toto
(p [Another interesting approach is to focus on the impact of
malicious modifications to Git repository meta-data ,(ref :bib
@@ -914,8 +916,8 @@ and in that sense it is not tied to Guix and its
application domain. It
is available not only for the main ,(tt [guix]) channel, but also for
third-party channels.])
- (p [To bootstrap trust, we added the notion of _channel
-introductions_. These are now visible in the user interface, in
+ (p [To bootstrap trust, we added the notion of ,(it [channel
+introductions]). These are now visible in the user interface, in
particular in the output of ,(tt [guix describe]) and in the configuration
file of ,(tt [guix pull]) and ,(tt [guix time-machine]). While channel
configuration remains a few lines of code that users typically paste,
- branch master updated (8bf076b -> 3a4e080), Ludovic Courtès, 2022/06/29
- 01/66: doc: First stab at a "Secure Supply Chain" paper., Ludovic Courtès, 2022/06/29
- 02/66: ccs-2021: Write "Implementation" section., Ludovic Courtès, 2022/06/29
- 05/66: ccs-2021: Move "Notes on SHA-1" under "Implementation"., Ludovic Courtès, 2022/06/29
- 06/66: ccs-2021: Turn on review mode for good., Ludovic Courtès, 2022/06/29
- 03/66: ccs-2021: Tweak main sections., Ludovic Courtès, 2022/06/29
- 12/66: ccs-2021: Add abstract and tweak intro., Ludovic Courtès, 2022/06/29
- 07/66: ccs-2021: Discuss in-toto in "Related Work"., Ludovic Courtès, 2022/06/29
- 11/66: ccs-2021: Complete introductions., Ludovic Courtès, 2022/06/29
- 25/66: icse-2022: Final (?) tweaks., Ludovic Courtès, 2022/06/29
- 04/66: ccs-2021: Tweak "related work", add proper references.,
Ludovic Courtès <=
- 09/66: ccs-2021: Write conclusion., Ludovic Courtès, 2022/06/29
- 21/66: icse-2022: Link to "Git Cryptography Protocol"., Ludovic Courtès, 2022/06/29
- 29/66: programming-2022: Adjust to <Programming> style., Ludovic Courtès, 2022/06/29
- 31/66: programming-2022: Expand "Related Work"., Ludovic Courtès, 2022/06/29
- 32/66: programming-2022: Use a monospace font for code snippets., Ludovic Courtès, 2022/06/29
- 08/66: ccs-2021: Capitalize section titles., Ludovic Courtès, 2022/06/29
- 10/66: ccs-2021: Improve "Rationale" section., Ludovic Courtès, 2022/06/29
- 13/66: ccs-2021: Proof-read and tweak., Ludovic Courtès, 2022/06/29
- 15/66: ccs-2021: Typos, hyphenation, and other improvements., Ludovic Courtès, 2022/06/29
- 14/66: ccs-2021: Update ACM categories., Ludovic Courtès, 2022/06/29