how is software made
play

How is software made? 2 A stylized software supply chain test - PowerPoint PPT Presentation

Jun 13, 2023 •213 likes •495 views

in-toto -- Securing the whole software supply chain Santiago Torres-Arias, Hammad Afzali, Lukas Phringer , Reza Curtmola, Justin Cappos How is software made? 2 A stylized software supply chain test code build package 3 Attackers can

  1. in-toto -- Securing the whole software supply chain Santiago Torres-Arias, Hammad Afzali, Lukas Pühringer , Reza Curtmola, Justin Cappos

  2. How is software made? 2

  3. A stylized software supply chain test code build package 3

  4. Attackers can hack the software supply chain test code build package 4

  5. Attackers do hack the software supply chain 5

  6. Attackers do hack the software supply chain 6

  7. Attackers do hack the software supply chain 7

  8. Attackers do hack the software supply chain 8

  9. Attackers do hack the software supply chain 9

  10. How can we fix this? 10

  11. Many good point solutions test code build package 11

  12. Many good point solutions test → git signing, reference state log [Torres USENIX Sec 16] , ... code build package 12

  13. Many good point solutions test → git signing, reference state log [Torres USENIX Sec 16] , ... code build package → TPMs, HSMs, reproducible builds, ... 13

  14. Many good point solutions test → git signing, reference state log [Torres USENIX Sec 16] , ... → TLS, GPG, TUF code build package → TPMs, HSMs, reproducible builds, ... 14

  15. Fixed? 15

  16. Gaps between steps? Compliance? test code build package 16

  17. We want to secure the complete Software Supply Chain! → Verifiably define the steps of the software supply chain → Verifiably define the authorized actors → Guarantee that everything happens according to definition, and nothing else 17

  18. in-toto -- Project Definition -- Steps { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } }, "signatures": [...], "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } 18

  19. in-toto -- Project Definition -- Functionaries Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 19

  20. in-toto -- Project Definition -- Materials/Products Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 20

  21. in-toto -- Project Definition -- Rules Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 21

  22. in-toto -- Project Definition -- Signed Alice Dave { "_type": "layout", "expires":"2017-08-31T12:44:15Z", "keys": { "0c6c50": { ... } Bob }, "signatures": [...], Erin "steps": [{ "_type": "step", "name": "checkout-code", "expected_command": ["git", "clone", "..."], "expected_materials": [], "expected_products": [ ["CREATE", "demo-project/foo.py"], ...], "pubkeys": ["0c6c50..."], "threshold": 1 }, ...], "inspections": [...] } Carol 22

  23. in-toto -- Signed Evidence for each Step $ in-toto-run -- ./do-the-supply-chain-step { { { { "_type": "Link", "_type": "Link", "_type": "Link", "_type": "Link", "name": "code", "name": "build", "name": "build", "name": "build", "byproducts": "byproducts": "byproducts": "byproducts": {"stderr": "", "stdout": {"stderr": "", "stdout": {"stderr": "", "stdout": {"stderr": "", "stdout": ""}, ""}, ""}, ""}, "command": [...], "command": [...], "command": [...], "command": [...], "materials": {}, "materials": {...}, "materials": {}, "materials": {}, "products": { "products": { "products": { "products": { "foo": {"sha256": "foo": {"sha256": "foo": {"sha256": "in-toto/.git/HEAD": "..."}}, "..."}}, "..."}}, {"sha256": "..."}}, "return_value": 0, "return_value": 0, "return_value": 0, "return_value": 0, "signatures": [...] "signatures": [...] "signatures": [...] "signatures": [...] } } } } 23

  24. DEMO: Grep -- Debian’ized & in-toto’ized fetch extract modify build (dget) (dpkg-source) ( interactive ) (dpkg-buildpackage) 24

  25. DEMO: Grep -- Debian’ized & in-toto’ized $ in-toto-run <opts> -- dget http://cdn.debian.net/debian/pool/main/g/grep/grep_2.12-2.dsc $ in-toto-run <opts> -- dpkg-source -x grep_2.12-2.dsc $ cd grep-2.12 $ in-toto-record start <opts> $ dch -i $ vi debian/rules $ in-toto-record stop <opts> $ in-toto-run <opts> -- dpkg-buildpackage -us -uc $ in-toto-verify --layout-keys <key> --layout grep_2.12-2.layout → goo.gl/hgPMHA (demo screencast + demo metadata) 25

  26. DEMO: Grep -- Debian’ized & in-toto’ized fetch extract modify build (dget) (dpkg-source) ( interactive ) (dpkg-buildpackage) 26

  27. Layout wizard (sneak preview) 27

  28. Thank You! Questions? https://in-toto.io/ jcappos@nyu.edu 28

Recommend

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made

Developing Multilingual Web Services in Agile Software Teams The Software-Cluster. Software made in Germany for the Future Economy Alexandra Weissgerber Software AG MultilingualWeb Workshop 2011, 05 April 2011 Project Context 5 Projects

338 views • 12 slides
MADe SOFTWARE HUMS Avalon 2009 Background PHM Technology is an Australian company focused

MADe SOFTWARE HUMS Avalon 2009 Background PHM Technology is an Australian company focused

INTRODUCTION TO MADe SOFTWARE HUMS Avalon 2009 Background PHM Technology is an Australian company focused on advanced engineering applications. The Maintenance Aware Design environment (MADe) is a software tool that

332 views • 11 slides
Refactoring Noun: A change made to the internal structure of Refactoring software to make

Refactoring Noun: A change made to the internal structure of Refactoring software to make

Refactoring Noun: A change made to the internal structure of Refactoring software to make it easier to understand and cheaper to modify without changing its observable behaviour Verb: To restructure software by applying a series

204 views • 4 slides
Tailor-S: Look What You Made Me Do! Vadim Semenov Software Engineer @ Datadog

Tailor-S: Look What You Made Me Do! Vadim Semenov Software Engineer @ Datadog

Tailor-S: Look What You Made Me Do! Vadim Semenov Software Engineer @ Datadog vadim@datadoghq.com 1 2 3 4 5 Table of contents 1. The original system and issues with it 2. Requirements for the new system 3. Decoupling of state and

2.14k views • 148 slides
Software Engineering CSE435

Software Engineering CSE435

Name: Project: Deliverable: SRS, Rev3 (changes made to address customers feedback); Prototype, v3 (incorporate feedback from customer); presentation; video (EC) Date: 12/15/16 Software Engineering CSE435

65 views • 3 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 8 January 2019 OSU CSE 1 Restated Learning Outcomes Theme 1: software engineering concepts Be familiar with sound software engineering

535 views • 17 slides
humane assessment is a novel method for software engineering decision making. it is relevant

humane assessment is a novel method for software engineering decision making. it is relevant

humane assessment is a novel method for software engineering decision making. it is relevant for any software development project written in any programming language. it is made practical by the Moose analysis platform.

212 views • 3 slides
Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An introduction to creating electronic presentations using Microsoft PowerPoint 2010 ABT COLLABORATIVE BCCAMPUS Except for third party materials and

1.7k views • 94 slides
Welcome HILT is made possible by HILT is made possible by HILT is made possible by University

Welcome HILT is made possible by HILT is made possible by HILT is made possible by University

Welcome HILT is made possible by HILT is made possible by HILT is made possible by University Library Logistics Coffee Break Ashby Reading Room 2nd floor inside Philanthropy Library University Library Meals Tower Dining University

850 views • 27 slides
AKVIS PHOTO PROCESSING SOFTWARE AKVIS PHOTO PROCESSING SOFTWARE AKVIS AirBrush automatically

AKVIS PHOTO PROCESSING SOFTWARE AKVIS PHOTO PROCESSING SOFTWARE AKVIS AirBrush automatically

AKVIS PHOTO PROCESSING SOFTWARE AKVIS PHOTO PROCESSING SOFTWARE AKVIS AirBrush automatically transforms a photograph into a work of art which looks like made with a special airbrush tool that sprays paints or inks AKVIS ArtSuite is an

132 views • 9 slides
Fault tolerance made easy A head-start to resilient software design Uwe Friedrichsen (codecentric

Fault tolerance made easy A head-start to resilient software design Uwe Friedrichsen (codecentric

Fault tolerance made easy A head-start to resilient software design Uwe Friedrichsen (codecentric AG) QCon London 5. March 2014 @ufried Uwe Friedrichsen | uwe.friedrichsen@codecentric.de | http://slideshare.net/ufried |

705 views • 53 slides
Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview

Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview

Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview Microservices refresher Microservices and versioning What are Monorepos and why use them? These two concepts seem to contradict why

1.08k views • 23 slides
paranormal interactivity led mec heht gewyrcan led ordered me to be made Hello

paranormal interactivity led mec heht gewyrcan led ordered me to be made Hello

paranormal interactivity led mec heht gewyrcan led ordered me to be made Hello Jeremy I'm Little MOO - the bit of software that will be managing your order with us. It will shortly be sent to Big MOO, our print machine who will

1.21k views • 72 slides
ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan, create, manage, analyze and report agricultural experiments 2 ARM Software Overview Why use ARM Software? ARM provides: Resulting benefits

542 views • 9 slides
For whom is it made? It is made for foreigners immigrants in Italy, especially for newly arrived

For whom is it made? It is made for foreigners immigrants in Italy, especially for newly arrived

Created by Edizioni La Linea for the Metropolitan CPIA of Bologna as part of the FAMI 2014-2020 project Futuro in corso You can download for free from Google Play . For whom is it made? It is made for foreigners immigrants in Italy,

445 views • 27 slides
KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we create new software development solutions for projects with sizable data requirements. Having a background in mining industry, KAI Software have

267 views • 26 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 7 January 2020 OSU CSE 1 Welcome to CSE 2231! Class attendance is required . You will be allowed 4 lecture absences and 4 lab

863 views • 7 slides
Lecture 02: Unix Filesystem APIs Software layered over hardware, filesystem API calls

Lecture 02: Unix Filesystem APIs Software layered over hardware, filesystem API calls

Lecture 02: Unix Filesystem APIs Software layered over hardware, filesystem API calls First off, we'll take a first pass at understanding how the physical hardware of a disk drive can be made to look like software to store traditional

517 views • 19 slides
Thorium desktop reader app made with the Readium SDK Desktop reader app

Thorium desktop reader app made with the Readium SDK Desktop reader app

Thorium desktop reader app made with the Readium SDK Desktop reader app Windows Mac Linux Free (of charge) Free (Open Source Software) Developed by EDRLab A Few Key Features Accessible User Interface

793 views • 50 slides
Introducing Software Software Applications A.Y. 2020/2021 What is software? What is software?

Introducing Software Software Applications A.Y. 2020/2021 What is software? What is software?

Introducing Software Software Applications A.Y. 2020/2021 What is software? What is software? - Nave answer: anything that is not hardware - A collection of data or computer instructions that tell the computer how to work, in contrast to

1.72k views • 32 slides
Office 365 Reporting Made Easy Product Presentation Acceleratio Ltd. Who we are? Acceleratio is

Office 365 Reporting Made Easy Product Presentation Acceleratio Ltd. Who we are? Acceleratio is

Office 365 Reporting Made Easy Product Presentation Acceleratio Ltd. Who we are? Acceleratio is a software Acceleratio specializes in developing development company high-quality enterprise applications and based in Zagreb, Croatia, providing

483 views • 21 slides
B U Y I N G Q U A L .. I T Y SOFTWARE by HENRY OLDERS presented at SOFTWARE '77 -~ B U Y I

B U Y I N G Q U A L .. I T Y SOFTWARE by HENRY OLDERS presented at SOFTWARE '77 -~ B U Y I

B U Y I N G Q U A L .. I T Y SOFTWARE by HENRY OLDERS presented at SOFTWARE '77 -~ B U Y I N G QUALITY SOFTWARE The author describes his experiences in purchasing applications software for real time process control systems.

641 views • 4 slides
Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of software engineering Types of software The nature of software Software history and the software crisis Software quality Elements of

818 views • 67 slides
ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint Software was created because there was no software that was easy to implement for managing and distributing leads and phone calls. The process was

225 views • 11 slides

More recommend