Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2020 - Virtual / 4 Sep 2020
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2020 - Virtual / 4 Sep 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: in-toto: Securing the Entire Software Supply Chain - Santiago Torres, NYU

Description

Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

in-toto: Securing the Entire Software Supply Chain - Santiago Torres, NYU

As attackers intensify their focus on the software development, distribution and deployment pipeline, supply chain security becomes more and more crucial to the overall security of software projects. in-toto, which has recently become a member of the CNCF, has tooling and a protocol that allows you to verifiably define all the steps of the supply chain, along with its authorized personnel, giving you and your customers the guarantee that everything happened according to your intentions and nothing else. This talk will walk you through the basics of software supply chain security, and show how a versatile tool like in-toto can add substantial security guarantees to any supply chain in- and outside of the cloud native ecosystem.

https://sched.co/Zev5

A

Hello, everyone, uh I am santiago, I am a phd recently graduated phd student from nyu and uh I am going to talk today about things a way to secure the software supply chain that it's a cncf project. Maybe it's incubation by the time you see this video we don't know just yet, uh and the main goal of uh in total is to protect the everything that happens at the left of your software delivery pipeline. uh That is uh the version process, the build farms, the uh vulnerability scanners. Anything before admission on your cloud.

A

um Today, I'm going to talk a little bit about the problem. I think it's a an upcoming problem. It's uh it's something! That's been taking the industry by surprise and it's something that caused a lot of damages.

A

So um for that reason I think it's not only important to know what the problem is, uh but also to uh know how to tackle it and how to fix it. So uh after um I talked about what a well the problem is I'm going to talk about in total uh and how you can use it today to protect your platforms and your specific companies for your projects.

A

So with that aside, uh I wanted to get it to uh to talk about how software is made um again. uh When we're talking about software supply chains, we usually uh think uh we need to answer ourselves well how software's applied to users uh and uh they usually follow a common pattern of uh software delivery uh to make things clear. uh Here's a very github generation, type of software supply chain, very minimalistic software supply chain, in which uh you may have your code, live in a version control system.

A

Maybe you send it somewhere if you're feeling fancy to have a deal for you on a bill far uh if, uh if you're caring about the quality of the software, maybe you have a continuous integration service, such as travis running tests on your on every single commit that you make, and finally, some somebody, maybe even yourself again- is packaging, this uh piece of software to eventually get it out into uh the consumers, the user software software.

A

So I know this is a very simple software supply chain, but it's a it's. The perfect place to start a conversation about the security of it of uh of the whole ecosystem.

A

So again, this is a security talk, so you wouldn't be surprised if I told you that uh software supply chains can't get hacked and that's exactly what has happened. uh Time and time again. Hackers have been able to break into say the version control system and uh replace uh the sort of random seed of a project or insert backdoors into the software or make malicious uh pieces of code that can actually uh subvert the whole infrastructure.

A

This has happened time and time and time again, and it is a it is a very damaging point of compromise, because a single point of compromise means that every single user of your product is affected.

A

Now this was just for the version control system. The same thing can happen in your compiler or your build file. There has been instances such as the very academic ken thompson attack, in which uh somebody introduces a back during compiler into the pipeline in such a way that every single product of this compiler is introducing the backdoor and software or there's been a more realistic scenarios like the xcode ghost in which somebody made a counterfeit version of xcode that resulted in every single ios application.

A

Being compiled with xcode had a background, a big piece of malware, a very popular applications such as angry bird, were actually affected by this attack uh and uh we're computer scientists, so we're good interpolating things. uh This is not an isolated incident. This has happened time and time again in the deal fund as well.

A

Now, uh speaking of interpolation, I assume that you can also guess that the packaging infrastructure is a very, very uh good target for attackers.

A

uh Attackers can break into the into the uh distribution or the packaging infrastructure, and they can insert factors there's a case of a backdoor linux main title that ended up being uh building a more than 800 uh host apartment in less than 24 hours, which was. uh It was a very, very small profile attack that ended up, creating a relatively uh medium-sized botnet, small to medium sized spot in uh very, very quickly.

A

There's other examples like king's layer, there's uh there's cases which I like to highlight to pretty much illustrate the problem and the nature of this attacks is a php, my admin. It was hacked only in the south korean mirror server. This gave the attacker a very particular uh fingerprint of the type of uh of victims that they would find was not only uh a very good uh example of something that may have been state sponsored or something that may have been uh just uh able to attack a single country at once.

A

So uh there were fingerprints. There was finger pointing going on uh some people, of course linked north korea, but there's a there's, many good explanations as to why somebody could want to target a particular population. Of course, this is not an isolated incident, but this is not the only time that somebody has taken geographic uh approaches to the software fighting attacks and finally, there's also questions about compliance. uh There are very many things that are happening in your pipeline that may cause uh even a non-malicious uh action to uh echo all of your users.

A

There's a case in the external and there's cases with, for example, microsoft windows in which uh a windows update was able to break every single computer that installed it, and it was originally believed that some hackers broke into the microsoft infrastructure to cause a very, very damaging attack. But it turned out that uh somewhere in the pipes, uh somebody didn't do their job and embedded this window software properly.

A

uh Of course, windows launched an internal investigation, they were victorio and they were trying to figure out exactly what happened and uh I'm sure that they fixed this problem. But uh it was already a little late for a couple of users and I'm not trying to point the fingers at anybody. It's just just a state of affairs. We need to be more thorough and more conscious about the way that we are producing and we are telling software, especially now that uh most of the critical infrastructure relies on our uh on our pieces of software.

A

So here's uh here's a point which I want us all to reflect on the nature of uh what I like about this little example is that, uh even though it's a very minimal, very uh cartoonish they're say suffer supply chain, many of you that are working in the industry. They have seen that and said like. Oh, this is ridiculous. This is so simple. We don't. We do things way way more complicated and more elaborate than this.

A

uh Even in this case there is uh eight points of compromise and uh on six of those eight points of compromise. A complete software supply chain subversion happens if any of those uh six points fail and their security uh in their security story and the final product will be completely subverted.

A

This means that the end user is hacked and, uh and your company loses a million millions of dollars or whatever the it depends on your budget, but you get the idea now.

A

I hope I did my. uh I did my job in convincing you that this is a this is a problem, and this is something that we need to fix uh the goal. uh The goal of this is to understand that the software supply chain compromises are a thing, that's not in in theory anymore.

A

It's something that's been used by many different actors to do many, many different types of uh damages to many different industries and uh even though there's a lot of things that we can do today uh to fix things, we need to think a little bit more holistically.

A

Now, uh I'm going to go over a little bit of things that you're, probably like. Aha, I know that I can use a uh get signing to protect the version control system uh or I can use this technique on the real farm.

A

I am going to show how all of these things can be need to be put in place to foster a good software supply chain security uh story. Now again, there's many good point solutions. There's things like uh git commit signing or a push certificate or direct state log that can help you protect the version across themselves, uh there's other things like tpms and descents, or very vital compilers.

A

There's things such versatile builds that can help you protect your build farm and there's also things such as tls and ppg, and tough for the delivery mechanism that can help you uh secure and protect the the last mile on your software supply chain.

A

So uh with those all of those in place, uh I took the liberty of removing some points of compromise and we still have a couple of questions on the answer. The first one is that uh we don't know anything about the gaps between the steps. That is even though you may be following the software. uh The version control system uh delivery mechanism properly.

A

uh You don't know if the person after you that's going to build the sources is actually checking that you're following these practices to the letter and the same can happen to the packaging, and so it can happen to the ci test, testing and compliance mechanisms in place. At the end of the day, it's a it's. Both a question of security uh and a question of compliance. uh Is everybody following things?

A

uh The way they should and is uh everybody following the right security policy, and uh that's exactly the type of problem that we're uh that we're against when we're talking about the software supply chain, security and holistic security and software on software supply chain. So to make things uh summarized or easier to uh understand is we want to follow three goals? We want to first define uh in a verifiable way. What is supposed to happen in a software supply chain, define the steps on your software's collection.

A

I have a version control system that looks like this. I have a build farm that looks like that. I have a packaging infrastructure that looks like this, and all of this is completely being checked by a by a ci system.

A

After that we also want to define the off the uh the actuation developers, the actors that are participating in the in your in the supply chain. This means uh we know that the version control system is going to be uh being carried out by a team within my uh software engineering team, and we know that the person that does packaging and delivery is probably a software uh reliability, engineers or, I don't know any other role within your organization.

A

And finally, because a chain is a series of conjoint links, we want to make sure that every single step is properly uh connected to each other. We want to guarantee that everything happens to the definition and that there's no gaps between the stories on each individual step.

A

So now I'm going to tell you how you can use nuto to provide these properties on top of the other security properties that I was talking about earlier.

A

To do this. We use two things in each other. The first one is called a layout layout is a piece of policy that a project owner or a security engineer at an organization will define, and it will describe things on on your supply chain. It's going to decide what needs to happen and how it should happen.

A

So, to do that, it will have a series of steps defined, say I it will say I have a version pro system, I have a build farm, I have a packaging infrastructure and I have a ci setup in place.

A

Then it will create uh or allow you to define a series of functionaries which are the actors that will partake in the operations in the supply chain. It will say bob the version control system person will be taking care of the version, control system and carol will be taking care of the pill farm. It will also say dave is the third party that's taking care of the ci and that's the and aaron will be the one that will be doing the packaging.

A

It will also uh let you define what are the materials and products, but this is a non-overloaded word that we chose to uh to talk about software artifacts. We know that uh bob will be talking in a language of making version, control, system files, say, source code or or build uh tool chain definitions.

A

We know that carol will be talking within the same terms, but maybe carl will be producing binaries that are executable files.

A

We also know that aaron may be talking on binaries and also packages, so uh all of this uh types of software artifacts will be defined and will be assigned to an individual step and uh in order to prevent uh this uh security story is to be separated from each other.

A

It will uh use the artifact rules which are describing how these artifacts will be connected uh between each other and we'll, say: boss version control system files will be the ones that will be input to both the ci system and the bill farm, and both of them need to agree on that they're.

A

Using the same artifacts and carl will say what is the resulting binary of the of the bill and aaron will say what is a resulting package that that she created with this and the signature to make sure that this is the right file created by the right person. We know exactly what needs to happen now now that we know that what needs to happen. We uh need to carry uh to collect information about what happened.

A

This is uh generating evidence of the operations as they were carried out in the supply chain, so in the in total world to do this we have another type of file that is a layout. It's called a link.

A

These link files are essentially a series of map stations created by each individual actor or functionary in the supply chain, so bob will create a little rubber, stamped uh version of their of their operations that they will say. I actually checked that uh created this git tag and uh airing which we'll be doing the package will say. I took carol's primaries and I created this uh this package and here's my rubber stamp saying that I was the one that did it and nobody else did so.

A

When we do this, we are able to uh verify, uh and we turn the conversation into the the this was my definition of what I needed to happen. My policy defined in the layout. That said, this is the way that my supply chain needs to be carried out.

A

Does it agree with the evidence that I collected in this uh series of adaptations created by all of the actors in the supply chain, and with that we can uh basically turn the whole conversation into uh following a cryptographic paper trail and matching it against the policy all the way from the package uh and back into the version control system or as far left as you want to take it. You can include the conversations about the decision making the sign uh legal review, you name it. It doesn't need to be an automated uh step.

A

You just need to create the applications you show so just to wrap up uh in total is a framework that allows you to define um how the things in your pipeline should have been carried out and then to collect evidence uh of how the things in your pipeline were carried out, and that way you can describe precisely uh the way that you wanted your software to be made, and you can enforce on each individual step of your pipeline that it was carried out to the letter.

A

Now. Something I'm very excited about in toto is that it's- uh and this is a cliche phrase, but a supply chain is only as secure as its weakest link is that we need everybody in the ecosystem and the community to be involved and to participate.

A

So inktodo has been uh working alongside a lot of different uh communities out there to to create integrations to be able to provide the security uh properties that uh that we need to make a stronger software supply chain.

A

One that I'm particularly proud about and excited about is texan and in toto the it's a project called chains. You can use it to track each of the operations that that are being uh carried out by a uh tecton and creating total linkage stations for them. So you can verify them uh at the end.

A

At the end of the process, now I'm going to drop a link at the bottom of the chat, and you can use that to both see a demo of the project and also get involved if you want to take a to partake into developing chains, and uh for that I want to conclude.

A

uh Just to just wrap up uh securing the software supply chain is important. It's an up-and-coming problem that uh that it's uh being it's causing a lot of damage so across the industry, and I think it would be important for uh everybody here to start uh taking a look at it uh into this. Also, the first tool that allows you to holistically protect the software supply chain.

A

There's many simple, but around approaches uh in total is a project that took us uh five years again for you to develop and to make sure that it can be used to both protect your supply chain and to protect any supply chain out there, and uh we also want to invite you to try out in toto and not only try out in toto, but uh if you want to join a thriving open source community of uh security enthusiasts that wants to protect uh this uh very important aspect of software.

A

Then uh please reach out to us we're in this the cncf slack and many other channels listed on our website, and uh we look forward to hearing from you. Thank you so much.