In-Toto: Providing farm-to-table guarantees for bits and bytes

Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, Justin Cappos

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    The software development process is quite complex and involves a number of independent actors. Developers check source code into a version control system, the code is compiled into software at a build farm, and CI/CD systems run multiple tests to ensure the software's quality among a myriad of other operations. Finally, the software is packaged for distribution into a delivered product, to be consumed by end users. An attacker that is able to compromise any single step in the process can maliciously modify the software and harm any of the software's users. To address these issues, we designed in-toto, a framework that cryptographically ensures the integrity of the software supply chain. in-toto grants the end user the ability to verify the software's supply chain from the project's inception to its deployment. We demonstrate in-toto's effectiveness on 30 software supply chain compromises that affected hundreds of million of users and showcase in-toto's usage over cloud-native, hybrid-cloud and cloud-agnostic applications. in-toto is integrated into products and open source projects that are used by millions of people daily. The project website is available at: https://in-toto.io.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 28th USENIX Security Symposium
    PublisherUSENIX Association
    Pages1393-1410
    Number of pages18
    ISBN (Electronic)9781939133069
    StatePublished - 2019
    Event28th USENIX Security Symposium - Santa Clara, United States
    Duration: Aug 14 2019Aug 16 2019

    Publication series

    NameProceedings of the 28th USENIX Security Symposium

    Conference

    Conference28th USENIX Security Symposium
    Country/TerritoryUnited States
    CitySanta Clara
    Period8/14/198/16/19

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Information Systems
    • Safety, Risk, Reliability and Quality

    Fingerprint

    Dive into the research topics of 'In-Toto: Providing farm-to-table guarantees for bits and bytes'. Together they form a unique fingerprint.

    Cite this