A software supply chain comprises a series of steps performed to develop and distribute a software product. History has shown that each of these steps is vulnerable to attacks that can have serious repercussions and can affect many users at once. To address the attacks against the software supply chain, end users must be provided with verifiable guarantees about the individual steps of the chain and with assurances that the steps are securely chained together. In this dissertation, the security of several individual steps in the software supply chain is enhanced. The first step of the chain, managing the source code, usually relies on a version control system (VCS). A compromised or malicious VCS can corrupt the integrity of the source code (e.g., by inserting a backdoor). Popular web-based repository hosting services such as GitHub lack strong security features that are otherwise available when using stand-alone client tools, such as the ability to sign client commits. Essentially, this means that developers who use the web UI give up the ability to sign their own commits and must fully trust the server. To address this significant issue, le-git-imate is proposed that incorporates the security guarantees offered by Git's standard commit signature into web-based Git hosting services. Another crucial step in the software supply chain is the code review step, which helps to find defects in the software and to improve the readability and consistency of the project's codebase. Unfortunately, current code review systems do not have mechanisms to protect the integrity of the code review process, especially when the code review system is hosted at an untrusted server. To improve this status quo, a set of key design principles is identified that is necessary to secure the code review process. Then, these principles are used to propose SecureReview, a security mechanism that can be applied on top of a Git-based code review system to ensure the integrity of the code review process and provide verifiable guarantees that the code review process followed the intended review policy. With SecureReview in place, auditors have access to verifiable metadata about the code review process so that they can verify whether the code review server tampered with the code reviews. However, this verification process is not only a matter of checking the authenticity and integrity of the code reviews (i.e., verifying a digital signature). It is also about ensuring that a sequence of code reviews that led to the approval of the code changes respects the intended code review policy. Depending on the code review workflow, this process can be quite complex and error prone if done manually. To address this issue, PolicyChecker is proposed that allows independent auditors to automatically verify the correctness of the code review process. This tool adequately interprets different code review policies on GitHub and Gerrit and enables automatic verification of a given set of code reviews against a given code review policy. PolicyChecker is useful in two steps of the software supply chain: (1) when a maintainer merges a branch, so she does not have to blindly rely on the code review server, (2) when someone pulls a repository and wants to check if the code was merged according to the code review policy.
|
![[NJIT logo]](http://archives.njit.edu/vhlib/images/njit_logo.gif){kind=logo}
![[Van Houten Library logo]](images/vhl-top-image.jpg)
