Securing the Software Supply Chain

Monday, January 27, 2020 - 10:45 am11:15 am

Filippo Valsorda, Google


Modern software development relies increasingly on code reuse in the form of third-party dependencies from the Open Source ecosystem. Although each programming language has its own tooling and culture, they all encourage a widespread model of adoption without detailed review, and of eager updates to new versions.

This transitive trust in the dependencies authors led to a string of high-profile availability issues and attacks: the recent rest-client Ruby gem compromise, the similar event-stream Node package compromise, the infamous left-pad incident, and many more. These episodes have patterns that we can learn from as an industry: they either involve attackers compromising the developer credentials and uploading new compromised versions, or they involve the ecosystem losing access to the contents of existing versions.

The new Go checksum database—deployed in 2019—was designed to secure the Go modules ecosystem without requiring any extra work by module authors, like extra key management. It provides a centralized log for the checksums of all versions of all public modules. It then deploys the same technology as Certificate Transparency to keep this central authority accountable. It does not introduce any new accounts that can be compromised, and it enables third-party auditors to offer new version notifications to authors. Finally, it's designed to be easily cacheable, enabling a tradeoff in resources and privacy, from simple proxies all the way to full mirrors that don't leak any information about what modules are in use.

This talk will look at the high level design of the checksum database, and how it can be applied to other software package ecosystems to help secure the software supply chain.

Filippo Valsorda, Google

Filippo Valsorda (@FiloSottile) is a cryptography engineer on the Go team at Google. He acts as primary security coordinator for the Go Project and owns the Go cryptography standard libraries. Since joining the team, he introduced TLS 1.3 support in the Go standard library and co-designed the Go module authentication system, the Go Checksum Database. Previously at Cloudflare, he developed its experimental TLS 1.3 stack and kicked DNSSEC until it became something deployable.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {244688,
author = {Filippo Valsorda},
title = {Securing the Software Supply Chain},
year = {2020},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = jan

Presentation Video