Le-git-imate: Towards verifiable web-based git repositories

Hammad Afzali, Santiago Torres-Arias, Reza Curtmola, Justin Cappos

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

Web-based Git hosting services such as GitHub and GitLab are popular choices to manage and interact with Git repositories. However, they lack an important security feature - the ability to sign Git commits. Users instruct the server to perform repository operations on their behalf and have to trust that the server will execute their requests faithfully. Such trust may be unwarranted though because a malicious or a compromised server may execute the requested actions in an incorrect manner, leading to a different state of the repository than what the user intended. In this paper, we show a range of high-impact attacks that can be executed stealthily when developers use the web UI of a Git hosting service to perform common actions such as editing files or merging branches. We then propose le-git-imate, a defense against these attacks which provides security guarantees comparable and compatible with Git's standard commit signing mechanism. We implement le-git-imate as a Chrome browser extension. le-git-imate does not require changes on the server side and can thus be used immediately. It also preserves current workflows used in Github/GitLab and does not require the user to leave the browser, and it allows anyone to verify that the server's actions faithfully follow the user's requested actions. Moreover, experimental evaluation using the browser extension shows that le-git-imate has comparable performance with Git's standard commit signature mechanism. With our solution in place, users can take advantage of GitHub/GitLab's web-based features without sacrificing security, thus paving the way towards verifiable web-based Git repositories.

Original languageEnglish (US)
Title of host publicationASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages469-482
Number of pages14
ISBN (Electronic)9781450355766
DOIs
StatePublished - May 29 2018
Event13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018 - Incheon, Korea, Republic of
Duration: Jun 4 2018Jun 8 2018

Publication series

NameASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security

Other

Other13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018
Country/TerritoryKorea, Republic of
CityIncheon
Period6/4/186/8/18

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Science Applications
  • Information Systems
  • Computer Networks and Communications

Keywords

  • Browser extension
  • Commit signature
  • GitHub
  • Verification record

Fingerprint

Dive into the research topics of 'Le-git-imate: Towards verifiable web-based git repositories'. Together they form a unique fingerprint.

Cite this