New tool aims to save open source from supply chain attacks
Russia is historically destructive The NotPetya malware attack and its most recent SolarWinds cyberespionage campaign have something in common with the Kremlin: they are two real-life examples of software supply chain attacks. It’s a term for what happens when a hacker sneaks malicious code into legitimate software that can spread far and wide. And as more supply chain attacks emerge, a new open source project is poised to take a stand, making crucial protection free and easy to implement.
Sigstore’s founders hope their platform will encourage the adoption of code signing, an important protection for software supply chains, but popular and widely used open source software often overlooks. Open source developers don’t always have the resources, time, expertise, or the means to fully implement code signing on top of all the other non-negotiable components they need to build to make their code work.
“Until about a year and a half ago, I felt like the madwoman standing around the corner with a sign that said, ‘The end is drawing near. No one understood the problem, ”says Dan Lorenc, open source software researcher and supply chain engineer at Google. “But over the past year things have changed dramatically. Now everyone is talking about supply chain security, we have an executive order on it, and everyone is starting to realize how critical open source is and how we really need to devote resources to it. securing security for everyone.
Lorenc is far from being the only researcher to have focused on the challenges of securing open source projects or the supply chain. But the general attention generated by recent high-profile hacks has sparked a whole new level of excitement for the work Lorenc and his associates already had underway.
To understand the meaning of Sigstore, you need to have an idea of what code signing does. Think of it like orders of battle fought in ancient times. The generals would recognize the handwriting of the royal scribe, the signature of the commander-in-chief and the wax seal detailed on the envelope, while a carefully controlled web of pages conveyed the messages in a controlled chain of possession. This system worked because it was extremely difficult, but not entirely impossible, for an outside entity to infiltrate the process, replicate crucial elements and bypass all of those integrity checks.
It is the same for the signature of cryptographic code. You can’t just create a Windows update and distribute it to your closest friends or foes. Only Microsoft can do this unless something really goes wrong. One of the reasons it’s so difficult for anyone other than Microsoft to send updates to your Windows laptop is because the software has to have been “signed” by the right creator at the right time. It is the seal of John Hancock and wax of the digital age.
You can see why the stakes are so high, however, for ancient battles as well as modern software. If someone could send malicious commands or updates, they could stage a coup or compromise billions of computers. The benefits of code signing are clear, but getting hobbyists, volunteers, and other open source contributors to integrate it requires a low barrier to entry.
“These are huge problems that put infrastructure at risk around the world,” says Bob Callaway, chief architect of enterprise open source software company RedHat. “It is certainly not a panacea that will solve everything, but it will make a big dent for people to actually use the best practices and cryptographic techniques that have been around for a long time and make the versions more secure.”
Sigstore, which is affiliated with the Linux Foundation and currently run by Google, Red Hat, and Purdue University, combines two components. First, it coordinates convoluted cryptography for its users; it even gives the possibility of literally managing everything for developers who cannot or do not want to take on the extra work themselves. Using established pre-existing credentials like an email address or a third-party login system like Sign In with Google or Sign In with Facebook, you can quickly begin to cryptographically sign the code you produce as having been created by you at some point. moment. . Second, Sigstore automatically produces a public, immutable open source log of all activity. This ensures public accountability for every submission and a place to start investigating if something goes wrong.