TY - GEN
T1 - Bootstrapping Trust in Community Repository Projects
AU - Vaidya, Sangat
AU - Torres-Arias, Santiago
AU - Cappos, Justin
AU - Curtmola, Reza
N1 - Publisher Copyright:
© 2023, ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.
PY - 2023
Y1 - 2023
N2 - Community repositories such as PyPI and NPM are immensely popular and collectively serve more than a billion packages per day. However, existing software certification mechanisms such as code signing, which seeks to provide to end users authenticity and integrity for a piece of software, are not suitable for community repositories and are not used in this context. This is very concerning, given the recent increase in the frequency and variety of attacks against community repositories. In this work, we propose a different approach for certifying the validity of software projects hosted on community repositories. We design and implement a Software Certification Service (SCS) that receives certification requests from a project owner for a specific project and then issues a project certificate once the project owner successfully completes a protocol for proving ownership of the project. The proposed certification protocol is inspired from the highly-successful ACME protocol used by Let’s Encrypt and can be fully automated on the SCS side. It is, however, fundamentally different in its attack mitigation capabilities and in how ownership is proven. It is also compatible with existing community repositories such as PyPI, RubyGems, or NPM, without requiring changes to these repositories. To support this claim, we instantiate the proposed certification service with several practical deployments.
AB - Community repositories such as PyPI and NPM are immensely popular and collectively serve more than a billion packages per day. However, existing software certification mechanisms such as code signing, which seeks to provide to end users authenticity and integrity for a piece of software, are not suitable for community repositories and are not used in this context. This is very concerning, given the recent increase in the frequency and variety of attacks against community repositories. In this work, we propose a different approach for certifying the validity of software projects hosted on community repositories. We design and implement a Software Certification Service (SCS) that receives certification requests from a project owner for a specific project and then issues a project certificate once the project owner successfully completes a protocol for proving ownership of the project. The proposed certification protocol is inspired from the highly-successful ACME protocol used by Let’s Encrypt and can be fully automated on the SCS side. It is, however, fundamentally different in its attack mitigation capabilities and in how ownership is proven. It is also compatible with existing community repositories such as PyPI, RubyGems, or NPM, without requiring changes to these repositories. To support this claim, we instantiate the proposed certification service with several practical deployments.
KW - Software certification
KW - Trust establishment
UR - http://www.scopus.com/inward/record.url?scp=85147991041&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85147991041&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-25538-0_24
DO - 10.1007/978-3-031-25538-0_24
M3 - Conference contribution
AN - SCOPUS:85147991041
SN - 9783031255373
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 450
EP - 469
BT - Security and Privacy in Communication Networks - 18th EAI International Conference, SecureComm 2022, Proceedings
A2 - Li, Fengjun
A2 - Liang, Kaitai
A2 - Lin, Zhiqiang
A2 - Katsikas, Sokratis K.
PB - Springer Science and Business Media Deutschland GmbH
T2 - 18th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2022
Y2 - 17 October 2022 through 19 October 2022
ER -