Bootstrapping Trust in Community Repository Projects

Sangat Vaidya, Santiago Torres-Arias, Justin Cappos, Reza Curtmola

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Community repositories such as PyPI and NPM are immensely popular and collectively serve more than a billion packages per day. However, existing software certification mechanisms such as code signing, which seeks to provide to end users authenticity and integrity for a piece of software, are not suitable for community repositories and are not used in this context. This is very concerning, given the recent increase in the frequency and variety of attacks against community repositories. In this work, we propose a different approach for certifying the validity of software projects hosted on community repositories. We design and implement a Software Certification Service (SCS) that receives certification requests from a project owner for a specific project and then issues a project certificate once the project owner successfully completes a protocol for proving ownership of the project. The proposed certification protocol is inspired from the highly-successful ACME protocol used by Let’s Encrypt and can be fully automated on the SCS side. It is, however, fundamentally different in its attack mitigation capabilities and in how ownership is proven. It is also compatible with existing community repositories such as PyPI, RubyGems, or NPM, without requiring changes to these repositories. To support this claim, we instantiate the proposed certification service with several practical deployments.

    Original languageEnglish (US)
    Title of host publicationSecurity and Privacy in Communication Networks - 18th EAI International Conference, SecureComm 2022, Proceedings
    EditorsFengjun Li, Kaitai Liang, Zhiqiang Lin, Sokratis K. Katsikas
    PublisherSpringer Science and Business Media Deutschland GmbH
    Pages450-469
    Number of pages20
    ISBN (Print)9783031255373
    DOIs
    StatePublished - 2023
    Event18th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2022 - Virtual, Online
    Duration: Oct 17 2022Oct 19 2022

    Publication series

    NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
    Volume462 LNICST
    ISSN (Print)1867-8211
    ISSN (Electronic)1867-822X

    Conference

    Conference18th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2022
    CityVirtual, Online
    Period10/17/2210/19/22

    Keywords

    • Software certification
    • Trust establishment

    ASJC Scopus subject areas

    • Computer Networks and Communications

    Fingerprint

    Dive into the research topics of 'Bootstrapping Trust in Community Repository Projects'. Together they form a unique fingerprint.

    Cite this