‹Programming› 2023
Mon 13 - Fri 17 March 2023 Tokyo, Japan
Wed 15 Mar 2023 16:30 - 17:00 at Faculty of Engineering Building 2, Room 212 - Research Papers 3 Chair(s): Ian Sweet

The software supply chain is becoming a widespread analogy to designate the series of steps taken to go from source code published by developers to executables running on the users’ computers. A security vulnerability in any of these steps puts users at risk, and evidence shows that attacks on the supply chain are becoming more common. The consequences of an attack on the software supply chain can be tragic in a society that relies on many interconnected software systems, and this has led research interest as well as governmental incentives for supply chain security to rise.

GNU Guix is a software deployment tool that supports provenance tracking, reproducible builds, and reproducible software environments. Guix is first and foremost source code: it provides a set of package definitions that describe how to build code from source. Together, these properties set it apart from many deployment tools that center on the distribution of binaries.

This paper focuses on one research question: how can Guix and similar systems allow users to securely update their software? Guix source code is distributed using the Git version control system; updating Guix-installed software packages means, first, updating the local copy of the Guix source code. Prior work on secure software updates focuses on systems very different from Guix—systems such as Debian, Fedora, or PyPI where updating consists in fetching metadata about the latest binary artifacts available—and is largely inapplicable in the context of Guix. Deployment tools that more closely resemble Guix, from Nix to Portage, either lack secure update mechanisms or suffer from shortcomings.

Our main contribution is a model and tool to authenticate new Git revisions. We further show how, building on Git semantics, we build protections against downgrade attacks and related threats. We explain implementation choices. This work has been deployed in production two years ago, giving us insight on its actual use at scale every day. The Git checkout authentication at its core is applicable beyond the specific use case of Guix, and we think it could benefit to developer teams that use Git.

As attacks on the software supply chain appear, security research is now looking at every link of the supply chain. Secure updates are one important aspect of the supply chain, but this paper also looks at the broader context: how Guix models and implements the supply chain, from upstream source code to binaries running on computers. While much recent work focuses on attestation—certifying each link of the supply chain—Guix takes a more radical approach: enabling independent verification of each step, building on reproducible builds, “bootstrappable” builds, and provenance tracking. The big picture shows how Guix can be used as the foundation of secure software supply chains.

Wed 15 Mar

Displayed time zone: Osaka, Sapporo, Tokyo change

16:00 - 17:30
Research Papers 3Research Papers at Faculty of Engineering Building 2, Room 212
Chair(s): Ian Sweet Galois, Inc.
16:00
30m
Talk
Little Tricky Logic: Misconceptions in the Understanding of LTLVol. 7remote
Research Papers
Ben Greenman Brown University, Sam Saarinen Brown University, Tim Nelson Brown University, Shriram Krishnamurthi Brown University, United States
Link to publication
16:30
30m
Talk
Building a Secure Software Supply Chain with GNU GuixVol. 7remote
Research Papers
Ludovic Courtès Inria, France
Link to publication
17:00
30m
Talk
Technical Dimensions of Programming SystemsVol. 7remote
Research Papers
Joel Jakubovic University of Kent, Jonathan Edwards Independent, Tomas Petricek Charles University
Link to publication