So, I have finally completed my internship at NYU Tandon for this summers and am now returning back on my flight. I was at the Centre for Cyber Security under Prof. Justin Cappos and working on their in-house Supply Chain Security Tool - in-toto.
I’ll start with my experience in the city then bore you with the project.
New York City is an amazing city. It has tonnes of museums to visit and enjoy and epic skyscrapers. The focus on preserving art, culture and history is something I’ve never seen before.
The diversity in the food is awesome. I had Mexican, Chinese, Japanese, Korean as well as Italian cuisine.
While working on the project, I got the oppurtunity to visit the HQ of a software company and the experience was awesome.
in-toto is a powerful tool which allows specifying supply chain steps in detail, cryptographically signing them and later on verifying them independently using a generated link metadata file. Using it, companies and organizations can easily secure their supply chains and clients using their products can verify the authenticity of what they are using.
I worked on adding some minor features in in-toto such as adding support for using ED25519 Keys for signing metadata instead of just RSA Keys.
This was the major focus of my summers. The people at reproducible builds and debian are working very hard to ensure that all packages in Debian are reproducible. Once they have rebuilt any such package, they publish the buildinfo file for others to see.
Reproducible builds are very important for getting verifiability in a package distribution ecosystem because if the build system on which the package was built initially is compromised, nobody would know otherwise. With reproducible builds, we can have multiple independent entities build a package and then compare them to ensure that nothing was compromised.
For this purpose, the people on debian were working on an easily deployable system which can be used to rebuild packages and publish the buildinfo generated by this system and establish a baseline.
For what? Fidelity.
I worked majorly on setting up this system wherein, given a buildinfo file, the system would rebuild the whole package from source and then publish the buildinfo. We took it a step further and added in-toto metadata generation during the build and exposed the metadata.
An organization can just deploy the system with
ansible playbook.yml and have the entire
infrastructure exposing the buildinfo as well as metadata running. Now, theoretically, anyone
installing a package from the debian repositories could lookup the exposed metadata and the metadata
of what they have downloaded to ensure that the package hasn’t been compromised. This could even
be automated by using an apt-transport/plugin to automatically verify and only install a
package if a certain threshold is met.
Some work on this is still left and I intend to finish it in the next few days. The code and documentation can be found at salsa.debian.org