Author ORCID Identifier

0000-0002-3386-8960

Document Type

Dissertation

Date of Award

8-31-2022

Degree Name

Doctor of Philosophy in Computing Sciences - (Ph.D.)

Department

Computer Science

First Advisor

Reza Curtmola

Second Advisor

Cristian Borcea

Third Advisor

Vincent Oria

Fourth Advisor

Kurt Rohloff

Fifth Advisor

Justin Cappos

Abstract

The software development process comprises a series of steps known as a software supply chain. These steps include managing the source code, testing, building and packaging it into a final product, and distributing the product to end users. Along this chain, software repositories are used for different purposes such as source code management (Git, SVN, mercurial), software distribution (PyPI, RubyGems, NPM) or for deploying software based on container images (Harbor, DockerHub, Artifact Hub). In the recent past, different types of repositories have increasingly been the target of attacks. As such, there is a need for mechanisms to ensure integrity and authenticity of repository data. This work seeks to design mechanisms for providing end users with integrity and authenticity guarantees for repositories used in the software development process.

In the first part of this work, the focus is on version control systems that are used by software developers for software code management and collaboration. Recent history has shown that source code repositories represent appealing attack targets. Attacks that violate the integrity of repository data can impact negatively millions of users. This work designs and implements a commit signing mechanism for centralized version control systems that rely on a client-server architecture. When the proposed commit signing protocol is in place, the integrity and authenticity of the repository can be guaranteed even when the server hosting the repository is not trustworthy.

The second part of this work proposes an approach for certifying the validity of software projects hosted on community repositories. This work designs and implements a Software Certification Service (SCS) that receives certification requests from a project owner for a specific project and then issues a project certificate once the project owner successfully completes a protocol for proving ownership of the project. The proposed certification protocol is inspired from the highly-successful ACME protocol used by the Let's Encrypt certification authority and can be fully automated on the SCS side. However, it is fundamentally different in its attack mitigation capabilities and in how ownership is proven. It is also compatible with existing community repositories such as PyPI, RubyGems, NPM, or GitHub, without requiring any changes to these repositories. To support the claim, the work instantiates the proposed certification service with several practical deployments.

In the last part of this work, the focus is on artifact repositories that are used for deployment of software. These repositories are used to manage deployment artifacts such as container images, Helm charts and policy bundles. Current artifact management systems lack proper version control features. This work proposes a uniform version control system for such artifacts. The primary focus here is on artifacts recognized by the Open Container Initiative (OCI) standards. The approach treats artifacts as structured objects with multiple components such as file systems, binary packages, and metadata, instead of treating them as just opaque binary objects. The work further leverages this structure to design a Jiff algorithm that computes the difference between two versions of artifacts. The approach examines challenges related to computing differences between versions, the persistence of older versions of artifacts, and the security aspects of a version controlling system. Finally, the work proposes commit and update mechanisms for version control that address these challenges. With the proposed commit and update protocols in place, various types of OCI artifacts can be version controlled uniformly, regardless of their types.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.