04/66: ccs-2021: Tweak "related work", add proper references.

[Ludovic Courtès]

civodul pushed a commit to branch master
in repository maintenance.

commit 3f7acd45807f7e96978968503b983b50e9609d3f
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sat May 1 12:57:21 2021 +0200

    ccs-2021: Tweak "related work", add proper references.
---
 doc/ccs-2021/security.sbib    | 32 ++++++++++++++++++
 doc/ccs-2021/supply-chain.skb | 78 ++++++++++++++++++++++---------------------
 2 files changed, 72 insertions(+), 38 deletions(-)

diff --git a/doc/ccs-2021/security.sbib b/doc/ccs-2021/security.sbib
index 5cfbb3f..d32c5bc 100644
--- a/doc/ccs-2021/security.sbib
+++ b/doc/ccs-2021/security.sbib
@@ -7,6 +7,38 @@
   (doi "10.1109/MS.2021.3073045")
   (journal "IEEE Software"))
 
+(inproceedings samuel2010:survivable
+  (author "Justin Samuel and Nick Mathewson and Justin Cappos and Roger 
Dingledine")
+  (title "Survivable Key Compromise in Software Update Systems")  ;TUF
+  (year "2010")
+  (isbn "9781450302456")
+  (publisher "Association for Computing Machinery")
+  (address "New York, NY, USA")
+  (url "https://doi.org/10.1145/1866307.1866315";)
+  (doi "10.1145/1866307.1866315")
+  (booktitle "Proceedings of the 17th ACM Conference on Computer and 
Communications Security")
+  (pages "61–72")
+  (numpages "12")
+  (keywords "authentication, revocation, software updates, key management, 
delegation, threshold signatures, key compromise")
+  (location "Chicago, Illinois, USA")
+  (series "CCS '10"))
+
+(misc cappos2020:tuf-spec
+  (author "Justin Cappos, Trishank Karthik Kuppusamy, Joshua Lock, Marina 
Moore, Lukas Pühringer")
+  (title "The Update Framework Specification")
+  (year "2020")
+  (month "December")
+  (url "https://github.com/theupdateframework/specification/";))
+
+(inproceedings mehnert2016:conex
+  (author "Hannes Mehnert and Louis Gesbert")
+  (title "Conex — establishing trust into data repositories")
+  (booktitle "Proceedings of the ACM OCaml 2016 Workshop")
+  (conf "OCaml 2016")
+  (year "2016")
+  (month "September")
+  (url "https://github.com/hannesm/conex-paper/raw/master/paper.pdf";))
+
 (inproceedings torresarias2016:omitting
 (author "Santiago Torres-Arias and Anil Kumar Ammula and Reza Curtmola and 
Justin Cappos")
 (title "On Omitting Commits and Committing Omissions: Preventing Git Metadata 
Tampering That (Re)introduces Software Vulnerabilities")
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index a4f2fa7..c44a67e 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -847,46 +847,48 @@ rejects SHA-1 OpenPGP signatures, as recommended.]))
    (chapter :title [Related Work]
       :ident "related"
       
-      (p [A lot of work has gone into securing the software supply chain, 
often in
-the context of binary distros, sometimes in a more general context; more
-recent work also looks into Git authentication and related issues.
-This section attempts to summarize how Guix relates to similar work that
-we are aware of in these two areas.  More detailed discussions can be
-found in the issue tracker,(footnote [https://issues.guix.gnu.org/22883]).])
-
-      (p [The Update Framework,(footnote
-[https://theupdateframework.io/]) (TUF) is a reference for secure update
-systems, with a well-structured spec,(footnote
-[https://github.com/theupdateframework/specification/blob/master/tuf-spec.md#the-update-framework-specification])
-and a number of implementations.  TUF is a great source of inspiration
-to think about this problem space.  Many of its goals are shared by
-Guix.  Not all the attacks it aims to protect against (Section 1.5.2 of
-the spec) are addressed by what’s presented in this post: ,(tt [indefinite
-freeze attacks]), where updates never become available, are not addressed
-,(emph [per se]) (though easily observable), and ,(emph [slow retrieval 
attacks]) aren’t
-addressed either.  The notion of ,(emph [role]) is also something currently
-missing from the Guix authentication model, where any authorized
-committer can touch any files, though the model and
+      (p [A lot of work has gone into securing the software supply
+chain, often in the context of binary distributions, sometimes in a more
+general context; more recent work also looks into Git authentication and
+related issues.  This section attempts to summarize how Guix relates to
+similar work that we are aware of in these two areas.  More detailed
+discussions can be found in the issue tracker,(footnote
+[https://issues.guix.gnu.org/22883]).])
+      
+      ;; TODO: read issue tracker, read above
+
+      (p [The Update Framework ,(ref :bib 'samuel2010:survivable) (TUF)
+is a reference for secure update systems, with a well-structured
+specification ,(ref :bib 'cappos2020:tuf-spec) and a number of
+implementations.  Many of its goals are shared by Guix.  Not all the
+attacks it aims to protect against (Section 1.5.2 of the spec) are
+addressed by what’s presented in this post: ,(it [indefinite freeze
+attacks]), where updates never become available, are not addressed
+,(emph [per se]) (though easily observable), and ,(emph [slow retrieval
+attacks]) are not addressed either.  The notion of ,(emph [role]) is
+also something currently missing from the Guix authentication model,
+where any authorized committer can touch any files, though the model and
 ,(tt [.guix-authorizations]) format leave room for such an extension.])
 
       (p [However, both in its goals and system descriptions, TUF is
 biased towards systems that distribute binaries as plain files with
-associated meta-data.  That creates a fundamental impedance mismatch.
-As an example, attacks such as ,(emph [fast-forward attacks]) or ,(emph
-[mix-and-match attacks]) don’t apply in the context of Guix; likewise,
-the ,(emph [repository]) depicted in Section 3 of the spec has little in
-common with a Git repository.])
-
-      (p [Developers of OPAM, the OCaml package manager, adapted TUF for
-use with their Git-based package repository,(footnote
-[http://opam.ocaml.org/blog/Signing-the-opam-repository/]), later
-updated to write Conex,(footnote [https://github.com/hannesm/conex]), a
-separate tool to authenticate OPAM repositories.  OPAM is interesting
-because like Guix it’s a source distro and its package
-repository,(footnote [https://github.com/ocaml/opam-repository]) is a
-Git repository containing “build recipe”.  To date, it appears that
-,(tt [opam update]) itself does not authenticate repositories though; it’s up
-to users or developer to run Conex.])
+associated meta-data.  That creates a fundamental impedance mismatch
+with the functional deployment model we described in ,(numref :text
+[Section] :ident "background").  As an example, attacks such as ,(emph
+[fast-forward attacks]) or ,(emph [mix-and-match attacks]) do not apply
+in the context of Guix; likewise, the ,(emph [repository]) depicted in
+Section 3 of the spec has little in common with a Git repository.])
+
+      (p [Developers of OPAM, the package manager for the OCaml
+language, adapted TUF for use with their Git-based package repository,
+later updated to write Conex ,(ref :bib 'mehnert2016:conex), a separate
+tool to authenticate OPAM repositories.  OPAM like Guix is a
+source-based distribution and its package repository is a Git repository
+containing “build recipe”.  To date, it appears that ,(tt [opam update])
+itself does not authenticate repositories though; it is up to users and
+developers to run Conex.])
+      
+      ;; TODO: in-toto
 
       (p [Another interesting approach is to focus on the impact of
 malicious modifications to Git repository meta-data ,(ref :bib
@@ -914,8 +916,8 @@ and in that sense it is not tied to Guix and its 
application domain.  It
 is available not only for the main ,(tt [guix]) channel, but also for
 third-party channels.])
 
-      (p [To bootstrap trust, we added the notion of _channel
-introductions_.  These are now visible in the user interface, in
+      (p [To bootstrap trust, we added the notion of ,(it [channel
+introductions]).  These are now visible in the user interface, in
 particular in the output of ,(tt [guix describe]) and in the configuration
 file of ,(tt [guix pull]) and ,(tt [guix time-machine]).  While channel
 configuration remains a few lines of code that users typically paste,