Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native Wasm Day NA 2022 / 2 Nov 2022
Cloud Native Computing Foundation / Cloud Native Wasm Day NA 2022 / 2 Nov 2022
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Lightning Talk: SIG-Registries and Standardizing Package Management in...Bailey Hayes and Kyle Brown

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: SIG-Registries and Standardizing Package Management in WebAssembly - Bailey Hayes, Cosmonic and Kyle Brown, SingleStore

A

Our goal is to eventually provide a bicotal lines instance, so that we have a set of building blocks of canonical components that everyone is able to extend and build on top of. But we don't just stop there. We want to make it so that we can collaborate across different instances so that maybe an individual company is able to host their own private components, and we can also foresee several different communities out there that um build, for example, specifically Envoy.

A

We already have a webassembly hub for Envoy and with that there's use cases that are very specific to their community. So if you can imagine several other different communities might exist like plasm cloud.

B

And single stores user find functions.

A

So, let's take an example of I: have a company called acne and I also am working with in the envoy ecosystem? My business wants to write an authorization. Library I've got a lot of specific business rules in there and Envoy gives me a lot of cool out of the box. Http filters like open tracing now. Both of these components will probably need another key building block. This is a hypothetical one.

A

Everybody that's working at this level probably needs to be able to decode URLs, so let's provide a common component called URL that both of these are able to build on top of now, once we have that, how do we know where we're working in what defines an HTTP proxy Luke introduced this concept of Worlds earlier?

A

So, let's imagine that this works like a Lego base plate that we're able to build on top of and assemble these components that Define the ecosystem that I want to be able to have a sidecar proxy, that's running with authorization and open tracing. That's the entire idea behind our our protocol and apis for worg. Now those are the first two key features that we want to provide, but there's one that's incredibly important that Kyle's going to share.

B

So we just talked about component orientation. You know working with the component model and what how that lets us build building blocks and a little bit about sort of federation and the way these can interoperate between different registry instances, I'm going to talk a little bit about how we can some ideas that we can steal from significant revocation transparency and what that lets us do so. First, we're going to go over a little bit of background instrument, transparency when a CA issues a certificate.

B

It actually makes a record that it did so in an immutable log. That requires it to make a public commitment to all of this, and you can check using the root of the log that any given entry was included. There's also a structure called a verifiable map which is used to track replications.

B

It's indexed by the certificate, so you can look up for given certificate very efficiently, hasn't been revoked, which you can't do by traversing a log that's on, so we can sort of generalize these into a data structure called a log-backed map where we have this idea that the backing log stores a all of the changes to the map right so for this certificate it was issued for the certificate it was revoked and the map essentially has the current state of everything right and that's how you look up.

B

What's it like right now, in addition to what the history was, um and this data structure is really useful and we're going to borrow it in a second so now the question is: how can we make a registry that says transparent as a CA and Achieve package transparency as we're calling it?

B

The first thing is that we make the state of every package a log with events that cover things from the initial creation of that package. To you know adding and removing maintainers. You know releasing and sort of unreleasing different versions of the package and potentially annotating the log with other information and auditing data.

B

Then what we do is we combine all of the logs for each interval package into an overall log-backed map where at any given point in time, the state of the map is the head entry of every package log, that's like an index into all these little logs and the backing log actually stores a reference to every entry for every package, and that means that at any point in time in the system, with these vertical lines here right, they represent the system at different points in time.

B

There's a root Hash a signed root, hash for the login map that represents system at that time, and if you have that, there's some cool things you can prove and it sort of encode the state and, for example, you can take the state at slice three and at slice six, and you can cryptographically verify that everything in sick everything that was in three is in six.

B

So what does transparency give us? One of our scenarios is that transparency helps us manage vulnerabilities and incidences if we have a simple registry that has just one package in it. This lib URL package we're talking about before it has one release.

B

It might look like this and if you have another package, this authorization package that's being used to have this custom business Logic for our Acme company, then maybe they have a release, that's dependent on lib URL like we're just talking about, but if something goes wrong, we find a vulnerability in lib URL, there's a potential that we'll be able to put an audit entry in its logs that everybody can tell. We found something and correspondingly we expect that you know you probably put that same a very similar entry on the dependent package.

B

It has the same problem now, because the maintainers of URL are good people and they're doing good work, they're going to release a new patch and yank, which is sort of our term for unreleasing marking, something is not fit for use. uh The bad version and off the office package will do the same right. We expect that you would say: okay, cool. Here's our new version that doesn't have the problem.

B

If it happens, most of them will be able to pass the next round of audits that come their way, and all of this will be observable in the log uh as planned. That gives us a really good insight into exactly what happened and how it was responded to.

B

The other thing that we can do with this level of transparency is detect operators that are compromised and begin to behave badly. That begin to act maliciously, when you download a package like this authorization package, you get all the records for that package as well as that route.

B

I keep talking about for the state of the system at the point in time you queried it, then what you can do is- and these are now the Bold lines you see here right that I just added are represent these proofs that we can construct fairly efficiently to show that all the package entries that we see here were in the log that everybody else is seeing them to if they have a route, that's compatible with ours, and this is part of this idea that we have about making it so that if a registry lies about anything, has to lie about everything right.

B

That's sort of the fundamental idea here to change the state of one of these package entries I have to lie about the entire state of my system and that's really easy to catch.

B

um So let's say that the operator is compromised, and so now it's somebody got the keys to the kingdom right. They can sign things on behalf of the operator of this registry, um so what they might be able to do then, is start lying to you.

B

So the next time you ask them, you say: hey I, want to know more about this open Telemetry package right, give me its data, you get all the logs for it and you get a new route for the system, but maybe it lied about what used to be in the log there.

B

Maybe it's actually tried to change history on you in order to do that, it had to commit to a new route, the new that has this lie embedded in it, and what we will find is that, while that package entry is included in that route, it's part of the lie and those are consistent.

B

What isn't consistent is the old Route with the new root and the old Route, with this new package element and the client can easily detect the malfeasance that's occurred here, so really excited about sort of bringing state of the art in transparency to package Registries in a way that um I, don't think, we've ever seen before.

A

So we obviously gained a lot of inspiration from many other existing projects, but it doesn't stop there.

A

Worg itself is going to be an open API built on Open Standards, and so what we hope to see and kind of expect to see is that many of these existing projects will Implement work so that we can bring an entire set of projects and ecosystems into a world where we can build with components. Now our our entire tenants behind all of this right is to provide components, give a way for interoperability across Registries and Federation and to provide package transparency.

A

One of the key reasons why everybody is so excited about webassembly is the principle of security, has been something that has been a key part of the the language and later the ecosystem, and so this is really just an extension of that. We want to make it so that everybody has a bucket of Lego bricks that they're able to build on top of that creates an entire new ecosystem. So thank you.

B

Thanks.