Commit signatures for centralized version control systems

Document Type

Conference Proceeding

Publication Date

1-1-2019

Abstract

Version Control Systems (VCS-es) play a major role in the software development life cycle, yet historically their security has been relatively underdeveloped compared to their importance. Recent history has shown that source code repositories represent appealing attack targets. Attacks that violate the integrity of repository data can impact negatively millions of users. Some VCS-es, such as Git, employ commit signatures as a mechanism to provide developers with cryptographic protections for the code they contribute to a repository. However, an entire class of other VCS-es, including the well-known Apache Subversion (SVN), lacks such protections. We design the first commit signing mechanism for centralized version control systems, which supports features such as working with a subset of the repository and allowing clients to work on disjoint sets of files without having to retrieve each other’s changes. We implement a prototype for the proposed commit signing mechanism on top of the SVN codebase and show experimentally that it only incurs a modest overhead. With our solution in place, the VCS security model is substantially improved.

Identifier

85068234550 (Scopus)

ISBN

[9783030223113]

Publication Title

IFIP Advances in Information and Communication Technology

External Full Text Location

https://doi.org/10.1007/978-3-030-22312-0_25

e-ISSN

1868422X

ISSN

18684238

First Page

359

Last Page

373

Volume

562

Grant

1565478

Fund Ref

National Science Foundation

This document is currently not available here.

Share

COinS