TY - GEN
T1 - On omitting commits and committing omissions
T2 - 25th USENIX Security Symposium
AU - Torres-Arias, Santiago
AU - Ammula, Anil Kumar
AU - Curtmola, Reza
AU - Cappos, Justin
PY - 2016/1/1
Y1 - 2016/1/1
N2 - Metadata manipulation attacks represent a new threat class directed against Version Control Systems, such as the popular Git. This type of attack provides inconsistent views of a repository state to different developers, and deceives them into performing unintended operations with often negative consequences. These include omitting security patches, merging untested code into a production branch, and even inadvertently installing software containing known vulnerabilities. To make matters worse, the attacks are subtle by nature and leave no trace after being executed. We propose a defense scheme that mitigates these attacks by maintaining a cryptographically-signed log of relevant developer actions. By documenting the state of the repository at a particular time when an action is taken, developers are given a shared history, so irregularities are easily detected. Our prototype implementation of the scheme can be deployed immediately as it is backwards compatible and preserves current workflows and use cases for Git users. An evaluation shows that the defense adds a modest overhead while offering significantly stronger security. We performed responsible disclosure of the attacks and are working with the Git community to fix these issues in an upcoming version of Git.
AB - Metadata manipulation attacks represent a new threat class directed against Version Control Systems, such as the popular Git. This type of attack provides inconsistent views of a repository state to different developers, and deceives them into performing unintended operations with often negative consequences. These include omitting security patches, merging untested code into a production branch, and even inadvertently installing software containing known vulnerabilities. To make matters worse, the attacks are subtle by nature and leave no trace after being executed. We propose a defense scheme that mitigates these attacks by maintaining a cryptographically-signed log of relevant developer actions. By documenting the state of the repository at a particular time when an action is taken, developers are given a shared history, so irregularities are easily detected. Our prototype implementation of the scheme can be deployed immediately as it is backwards compatible and preserves current workflows and use cases for Git users. An evaluation shows that the defense adds a modest overhead while offering significantly stronger security. We performed responsible disclosure of the attacks and are working with the Git community to fix these issues in an upcoming version of Git.
UR - http://www.scopus.com/inward/record.url?scp=85041445640&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85041445640&partnerID=8YFLogxK
M3 - Conference contribution
T3 - Proceedings of the 25th USENIX Security Symposium
SP - 379
EP - 395
BT - Proceedings of the 25th USENIX Security Symposium
PB - USENIX Association
Y2 - 10 August 2016 through 12 August 2016
ER -