One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 4593787 |
| Date de publication | 2022-04-07 11:33:30 (vue: 2022-05-13 21:47:30) |
| Titre | Improving software supply chain security with tamper-proof builds |
| Texte | Posted by Asra Ali and Laurent Simon, Google Open Source Security Team (GOSST)Many of the recent high-profile software attacks that have alarmed open-source users globally were consequences of supply chain integrity vulnerabilities: attackers gained control of a build server to use malicious source files, inject malicious artifacts into a compromised build platform, and bypass trusted builders to upload malicious artifacts. Each of these attacks could have been prevented if there were a way to detect that the delivered artifacts diverged from the expected origin of the software. But until now, generating verifiable information that described where, when, and how software artifacts were produced (information known as provenance) was difficult. This information allows users to trace artifacts verifiably back to the source and develop risk-based policies around what they consume. Currently, provenance generation is not widely supported, and solutions that do exist may require migrating build processes to services like Tekton Chains.This blog post describes a new method of generating non-forgeable provenance using GitHub Actions workflows for isolation and Sigstore's signing tools for authenticity. Using this approach, projects building on GitHub runners can achieve SLSA 3 (the third of four progressive SLSA “levels”), which affirms to consumers that your artifacts are authentic and trustworthy. ProvenanceSLSA ("Supply-chain Levels for Software Artifacts”) is a framework to help improve the integrity of your project throughout its development cycle, allowing consumers to trace the final piece of software you release all the way back to the source. Achieving a high SLSA level helps to improve the trust that your artifacts are what you say they are.This blog post focuses on build provenance, which gives users important information about the build: who performed the release process? Was the build artifact protected against malicious tampering? Source provenance describes how the source code was protected, which we'll cover in future blog posts, so stay tuned.Go prototype to generate non-forgeable build provenanceTo create tamperless evidence of the build and allow consumer verification, you need to:Isolate the provenance generation from the build process;Isolate against maintainers interfering in the workflow;Provide a mechanism to identify the builder during provenance verification.The full isolation described in the first two points allows consumers to trust that the provenance was faithfully recorded; entities that provide this guarantee are called trusted builders.Our Go prototype solves all three challenges. It also includes running the build inside the trusted builder, which provides a strong guarantee that the build achieves SLSA 3's ephemeral and isolated requirement.How does it work?The following steps create the trusted builder that is necessar |
| Envoyé | Oui |
| Condensat | about achieve achieves achieving across action actions acts adding adoption affirms against alarmed ali all allow allowing allows also altering anchor another any approach are around artifact artifacts artifacts” asra attackers attacks attest attested attesting authentic authenticated authenticity authority avoiding back based been below benefit binary blog bonus: both build build: builder builders building builds built but bypass called caller calling can certificate certificate;check chain chains challenges channel ci/cd close code comments commit compile compromised connect consequences consume consumer consumers contains contribute control corresponding could cover create created creates cryptographic current currently cycle data defaults define defined delivered demonstrate described describes detect develop development diagram different difficult distribute diverged does don due during each easier easily ecosystem encourage ensuring entities entry environment ephemeral etc ever evidence exact example exist expected exploited exposes external extra extracting fact faithfully features feedback files final first focuses follow following forgeable forgeable; four framework fresh from fulcio full future gained gap generate generated generating generation generator github give given gives globally google gosst guarantee guarantees hardcoded hash hashes have help helps high hosted how identify identity important improve improvements improving includes including increased information inject input inside instances integrity intended interact interference interferes interfering invalidating isolated isolation its job jwt kept key keyless keys known laurent level levels like limitations lived log long machines maintainer maintainers malicious manage management managers many matches may mechanism method migrating mint mismanagement must necessary need new newest next non not notoriously now official officially oidc one one: only open openid origin other otherwise outputs package parameters party path performed performing piece platform please points policies popular possibility possible post posted posts potential prevented problem process process;isolate processes produced profile progressive project projects proof protect protected protects protocol prototype prove proven provenance provenanceslsa provenanceto proves provide provider providers provides received recent record recorded; reference registry rekor release relies repositories repository require requirement requires reusable reuseable risk root run runner runners runnersleveraging running safe same say scale secrets secure security see self send separate server service services settings share short showcase shows sidesteps sign signature;verify signed signing signingone signs sigstore simon simply size slsa software solutions solves source standard stay step steps steps:look stepsutilizing stops stored strong stronger suggestions supply supported supports systems tamper tampering tamperless team techniques tekton term testing than thanks them then these third three through throughout time to:isolate token toolchains tooling tools trace transparency trigger trust trusted trustworthy try tuned two tying unique until untrusted upload use used user users uses using variables verifiable verifiably verification verificationthe verifier verify virtual vms vulnerabilities: way web weeks welcome what when where which who widely will within work workflow workflow;provide workflows workload your “levels” “recipe” |
| Tags | |
| Stories | Solardwinds |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.