The software supply chain is becoming a widespread analogy to designate the series of steps taken to go from source code published by developers to executables running on the users? computers. A security vulnerability in any of these steps puts users at risk, and evidence shows that attacks on the supply chain are becoming more common. The consequences of an attack on the software supply chain can be tragic in a society that relies on many interconnected software systems, and this has led research interest as well as governmental incentives for supply chain security to rise. GNU Guix is a software deployment tool and software distribution that supports provenance tracking, reproducible builds, and reproducible software environments. Unlike many software distributions, it consists exclusively of source code: it provides a set of package definitions that describe how to build code from source. Together, these properties set it apart from many deployment tools that center on the distribution of binaries. This paper focuses on one research question: how can Guix and similar systems allow users to securely update their software? Guix source code is distributed using the Git version control system; updating Guix-installed software packages means, first, updating the local copy of the Guix source code. Prior work on secure software updates focuses on systems very different from Guix -- systems such as Debian, Fedora, or PyPI where updating consists in fetching metadata about the latest binary artifacts available -- and is largely inapplicable in the context of Guix. By contrast, the main threats for Guix are attacks on its source code repository, which could lead users to run inauthentic code or to downgrade their system. Deployment tools that more closely resemble Guix, from Nix to Portage, either lack secure update mechanisms or suffer from shortcomings. Our main contribution is a model and tool to authenticate new Git revisions. We further show how, building on Git semantics, we build protections against downgrade attacks and related threats. We explain implementation choices. This work has been deployed in production two years ago, giving us insight on its actual use at scale every day. The Git checkout authentication at its core is applicable beyond the specific use case of Guix, and we think it could benefit to developer teams that use Git. As attacks on the software supply chain appear, security research is now looking at every link of the supply chain. Secure updates are one important aspect of the supply chain, but this paper also looks at the broader context: how Guix models and implements the supply chain, from upstream source code to binaries running on computers. While much recent work focuses on attestation -- certifying each link of the supply chain -- Guix takes a more radical approach: enabling independent verification of each step, building on reproducible builds, "bootstrappable" builds, and provenance tracking. The big picture shows how Guix can be used as the foundation of secure software supply chains.
翻译:软件供应链正在成为一个广泛的类比, 以指定一系列步骤, 从开发者公布的源码到可执行的用户操作? 计算机。 这些步骤中的安全脆弱性使用户面临风险, 并且有证据表明, 对供应链的攻击正在变得更加常见。 在依赖许多相互关联的软件系统的社会中, 袭击软件供应链的后果可能是悲剧性。 这导致研究兴趣, 以及政府鼓励供应链安全上升。 GNU 吉克斯是一个软件部署工具以及软件分销, 支持源码跟踪、 可复制的构建和可再复制的软件环境。 与许多软件分销系统不同, 它只是源代码: 它提供一套包定义, 描述如何从源代码构建到源代码。 这些特性使得软件的配置工具在使用过程中, 基ix 和类似系统如何让用户更安全地更新。