Le-git-imate: Towards verifiable web-based git repositories

Hammad Afzali, Santiago Torres-Arias, Reza Curtmola, Justin Cappos

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Web-based Git hosting services such as GitHub and GitLab are popular choices to manage and interact with Git repositories. However, they lack an important security feature - the ability to sign Git commits. Users instruct the server to perform repository operations on their behalf and have to trust that the server will execute their requests faithfully. Such trust may be unwarranted though because a malicious or a compromised server may execute the requested actions in an incorrect manner, leading to a different state of the repository than what the user intended. In this paper, we show a range of high-impact attacks that can be executed stealthily when developers use the web UI of a Git hosting service to perform common actions such as editing files or merging branches. We then propose le-git-imate, a defense against these attacks which provides security guarantees comparable and compatible with Git's standard commit signing mechanism. We implement le-git-imate as a Chrome browser extension. le-git-imate does not require changes on the server side and can thus be used immediately. It also preserves current workflows used in Github/GitLab and does not require the user to leave the browser, and it allows anyone to verify that the server's actions faithfully follow the user's requested actions. Moreover, experimental evaluation using the browser extension shows that le-git-imate has comparable performance with Git's standard commit signature mechanism. With our solution in place, users can take advantage of GitHub/GitLab's web-based features without sacrificing security, thus paving the way towards verifiable web-based Git repositories.

    Original languageEnglish (US)
    Title of host publicationASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
    PublisherAssociation for Computing Machinery, Inc
    Pages469-482
    Number of pages14
    ISBN (Electronic)9781450355766
    DOIs
    StatePublished - May 29 2018
    Event13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018 - Incheon, Korea, Republic of
    Duration: Jun 4 2018Jun 8 2018

    Publication series

    NameASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security

    Other

    Other13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018
    CountryKorea, Republic of
    CityIncheon
    Period6/4/186/8/18

    Keywords

    • Browser extension
    • Commit signature
    • GitHub
    • Verification record

    ASJC Scopus subject areas

    • Software
    • Computer Science Applications
    • Information Systems
    • Computer Networks and Communications

    Fingerprint Dive into the research topics of 'Le-git-imate: Towards verifiable web-based git repositories'. Together they form a unique fingerprint.

    Cite this