Diplomat: Using delegations to protect community repositories

Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, Justin Cappos

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Community repositories, such as Docker Hub, PyPI, and RubyGems, are bustling marketplaces that distribute software. Even though these repositories use common software signing techniques (e.g., GPG and TLS), attackers can still publish malicious packages after a server compromise. This is mainly because a community repository must have immediate access to signing keys in order to certify the large number of new projects that are registered each day. This work demonstrates that community repositories can offer compromise-resilience and real-time project registration by employing mechanisms that disambiguate trust delegations. This is done through two delegation mechanisms that provide flexibility in the amount of trust assigned to different keys. Using this idea we implement Diplomat, a software update framework that supports security models with different security / usability tradeoffs. By leveraging Diplomat, a community repository can achieve near-perfect compromise-resilience while allowing real-time project registration. For example, when Diplomat is deployed and configured to maximize security on Python’s community repository, less than 1% of users will be at risk even if an attacker controls the repository and is undetected for a month. Diplomat is being integrated by Ruby, CoreOS, Haskell, OCaml, and Python, and has already been deployed by Flynn, LEAP, and Docker.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016
    PublisherUSENIX Association
    Pages567-581
    Number of pages15
    ISBN (Electronic)9781931971294
    StatePublished - Jan 1 2016
    Event13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016 - Santa Clara, United States
    Duration: Mar 16 2016Mar 18 2016

    Publication series

    NameProceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016

    Conference

    Conference13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016
    CountryUnited States
    CitySanta Clara
    Period3/16/163/18/16

      Fingerprint

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Control and Systems Engineering

    Cite this

    Kuppusamy, T. K., Torres-Arias, S., Diaz, V., & Cappos, J. (2016). Diplomat: Using delegations to protect community repositories. In Proceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016 (pp. 567-581). (Proceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016). USENIX Association.