Commit signatures for centralized version control systems

Sangat Vaidya, Santiago Torres-Arias, Reza Curtmola, Justin Cappos

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Version Control Systems (VCS-es) play a major role in the software development life cycle, yet historically their security has been relatively underdeveloped compared to their importance. Recent history has shown that source code repositories represent appealing attack targets. Attacks that violate the integrity of repository data can impact negatively millions of users. Some VCS-es, such as Git, employ commit signatures as a mechanism to provide developers with cryptographic protections for the code they contribute to a repository. However, an entire class of other VCS-es, including the well-known Apache Subversion (SVN), lacks such protections. We design the first commit signing mechanism for centralized version control systems, which supports features such as working with a subset of the repository and allowing clients to work on disjoint sets of files without having to retrieve each other’s changes. We implement a prototype for the proposed commit signing mechanism on top of the SVN codebase and show experimentally that it only incurs a modest overhead. With our solution in place, the VCS security model is substantially improved.

    Original languageEnglish (US)
    Title of host publicationICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings
    EditorsGurpreet Dhillon, Fredrik Karlsson, Karin Hedström, André Zúquete
    PublisherSpringer New York LLC
    Pages359-373
    Number of pages15
    ISBN (Print)9783030223113
    DOIs
    StatePublished - 2019
    Event34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019 - Lisbon, Portugal
    Duration: Jun 25 2019Jun 27 2019

    Publication series

    NameIFIP Advances in Information and Communication Technology
    Volume562
    ISSN (Print)1868-4238
    ISSN (Electronic)1868-422X

    Conference

    Conference34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019
    CountryPortugal
    CityLisbon
    Period6/25/196/27/19

    Keywords

    • Commit signature
    • SVN
    • Version control system

    ASJC Scopus subject areas

    • Information Systems
    • Computer Networks and Communications
    • Information Systems and Management

    Fingerprint Dive into the research topics of 'Commit signatures for centralized version control systems'. Together they form a unique fingerprint.

  • Cite this

    Vaidya, S., Torres-Arias, S., Curtmola, R., & Cappos, J. (2019). Commit signatures for centralized version control systems. In G. Dhillon, F. Karlsson, K. Hedström, & A. Zúquete (Eds.), ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings (pp. 359-373). (IFIP Advances in Information and Communication Technology; Vol. 562). Springer New York LLC. https://doi.org/10.1007/978-3-030-22312-0_25