Bootstrapping Trust in Community Repository Projects

Document Type

Conference Proceeding

Publication Date

1-1-2023

Abstract

Community repositories such as PyPI and NPM are immensely popular and collectively serve more than a billion packages per day. However, existing software certification mechanisms such as code signing, which seeks to provide to end users authenticity and integrity for a piece of software, are not suitable for community repositories and are not used in this context. This is very concerning, given the recent increase in the frequency and variety of attacks against community repositories. In this work, we propose a different approach for certifying the validity of software projects hosted on community repositories. We design and implement a Software Certification Service (SCS) that receives certification requests from a project owner for a specific project and then issues a project certificate once the project owner successfully completes a protocol for proving ownership of the project. The proposed certification protocol is inspired from the highly-successful ACME protocol used by Let’s Encrypt and can be fully automated on the SCS side. It is, however, fundamentally different in its attack mitigation capabilities and in how ownership is proven. It is also compatible with existing community repositories such as PyPI, RubyGems, or NPM, without requiring changes to these repositories. To support this claim, we instantiate the proposed certification service with several practical deployments.

Identifier

85147991041 (Scopus)

ISBN

[9783031255373]

Publication Title

Lecture Notes of the Institute for Computer Sciences Social Informatics and Telecommunications Engineering Lnicst

External Full Text Location

https://doi.org/10.1007/978-3-031-25538-0_24

e-ISSN

1867822X

ISSN

18678211

First Page

450

Last Page

469

Volume

462 LNICST

Grant

CNS 1801430

Fund Ref

National Science Foundation

This document is currently not available here.

Share

COinS