Prof. Santiago Torres-Arias helps develop free tool to protect software supply chain
A Purdue ECE professor has helped develop an open-source tool that provides an added layer of security for the software supply chain. Santiago Torres-Arias, assistant professor of electrical and computer engineering, started working on in-toto while he was a PhD student at the NYU Tandon School of Engineering.
This free, easy-to-use framework cryptographically ensures the integrity of the software supply chain. Since its advent, in-toto has been adopted or integrated into several major open source software projects, including those hosted by the Cloud Native Computing Foundation, a part of the Linux Foundation. With the release of version 1.0, in-toto has reached a level of maturity where its developers can ensure its quality, and guarantee its security to potential adopters.
Like blockchain for the software development process, in-toto ensures that all steps performed on a piece of software throughout its design and development lifecycle can be trusted by providing information crucial to security. Because of the decentralized nature of software development, the multi-step process of writing, testing, packaging, and deploying new software provides many opportunities for an attacker to insert malicious code or otherwise compromise the finished product. In experiments conducted last year re-creating more than 30 real-life software supply chain compromises that impacted hundreds of millions of users, the NYU Tandon team found that in-toto would have effectively prevented at least 83% of those attacks.
Torres-Arias, who leads the in-toto project and did his dissertation on the topic, first presented the work in August 2019 at the USENIX Security Symposium. The paper, in-toto: Providing farm-to-table guarantees for bits and bytes is publicly available.
“As it moves from development to testing to packaging, and finally to distribution, a piece of software passes through a number of hands,” Torres-Arias affirmed. “By requiring that each step in this chain conforms to the layout specified by the developer, it confirms to the end-user that the product has not been altered for malicious purposes, such as by adding backdoors in the source code.”
Each company or organization that uses in-toto is able to establish a set of rules or protocols that must be followed — and by whom — during each step of software development. As each step is completed, in-toto collects link metadata — cryptographically verifiable statements attesting that the step was performed in accordance with guidelines. This process circumvents a common security pitfall within the software supply chain; namely, that it is difficult to track malicious activity that occurs during a particular step of development or packaging rather than during the transition from one step to another. The link metadata provides a high level of control over the process, ensuring that even if a compromise occurs, it can be localized and its impacts limited.
In-toto is part of the Cloud Native Application Bundle (CNAB), an open-source project that facilitates the bundling, installing and managing of container-native applications. It has collaborated with open source communities such as Git, Docker, Datadog and OpenSUSE. In-toto is also part of the Cloud Native Application Bundle (CNAB), an open-source project that facilitates the bundling, installing and managing of container-native applications.
Justin Cappos, a professor of computer science and engineering, helped develop in-toto. Cappos and his lab are affiliated with the NYU Center for Cybersecurity at NYU Tandon. The in-toto development team also includes developer Lukas Pühringer, Ph.D. student Aditya Sirish, and undergraduate students Yuanrui Chen, Isha Vipul Dave, Kristel Fung, Cindy Kim and Benjamin Wu, all from the Secure Systems Laboratory at NYU Tandon; doctoral students Hammad Afzali Nanize and Sangat Vaidya, together with Professor and co-director of the Cybersecurity Research Center Reza Curtmola, all from the New Jersey Institute of Technology; and Trishank Kuppusamy, a former PhD student at NYU Tandon (Ph.D., '17), who is now staff security engineer at Datadog.
In-toto is supported by a grant from the National Science Foundation. Developers wishing to utilize it may do so freely at in-toto.engineering.nyu.edu.