TY - GEN
T1 - Commit signatures for centralized version control systems
AU - Vaidya, Sangat
AU - Torres-Arias, Santiago
AU - Curtmola, Reza
AU - Cappos, Justin
N1 - Funding Information:
Acknowledgments. This research was supported by the NSF under Grants No. CNS 1801430 and DGE 1565478. We would like to thank Ruchir Arya for contributions to an earlier version of this work.
Funding Information:
This research was supported by the NSF under Grants No. CNS 1801430 and DGE 1565478. We would like to thank Ruchir Arya for contributions to an earlier version of this work.
Publisher Copyright:
© IFIP International Federation for Information Processing 2019.
PY - 2019
Y1 - 2019
N2 - Version Control Systems (VCS-es) play a major role in the software development life cycle, yet historically their security has been relatively underdeveloped compared to their importance. Recent history has shown that source code repositories represent appealing attack targets. Attacks that violate the integrity of repository data can impact negatively millions of users. Some VCS-es, such as Git, employ commit signatures as a mechanism to provide developers with cryptographic protections for the code they contribute to a repository. However, an entire class of other VCS-es, including the well-known Apache Subversion (SVN), lacks such protections. We design the first commit signing mechanism for centralized version control systems, which supports features such as working with a subset of the repository and allowing clients to work on disjoint sets of files without having to retrieve each other’s changes. We implement a prototype for the proposed commit signing mechanism on top of the SVN codebase and show experimentally that it only incurs a modest overhead. With our solution in place, the VCS security model is substantially improved.
AB - Version Control Systems (VCS-es) play a major role in the software development life cycle, yet historically their security has been relatively underdeveloped compared to their importance. Recent history has shown that source code repositories represent appealing attack targets. Attacks that violate the integrity of repository data can impact negatively millions of users. Some VCS-es, such as Git, employ commit signatures as a mechanism to provide developers with cryptographic protections for the code they contribute to a repository. However, an entire class of other VCS-es, including the well-known Apache Subversion (SVN), lacks such protections. We design the first commit signing mechanism for centralized version control systems, which supports features such as working with a subset of the repository and allowing clients to work on disjoint sets of files without having to retrieve each other’s changes. We implement a prototype for the proposed commit signing mechanism on top of the SVN codebase and show experimentally that it only incurs a modest overhead. With our solution in place, the VCS security model is substantially improved.
KW - Commit signature
KW - SVN
KW - Version control system
UR - http://www.scopus.com/inward/record.url?scp=85068234550&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85068234550&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-22312-0_25
DO - 10.1007/978-3-030-22312-0_25
M3 - Conference contribution
AN - SCOPUS:85068234550
SN - 9783030223113
T3 - IFIP Advances in Information and Communication Technology
SP - 359
EP - 373
BT - ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings
A2 - Dhillon, Gurpreet
A2 - Karlsson, Fredrik
A2 - Hedström, Karin
A2 - Zúquete, André
PB - Springer New York LLC
T2 - 34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019
Y2 - 25 June 2019 through 27 June 2019
ER -