Extending Cloud Build Systems to Eliminate Transitive Trust

Martin Schwaighofer; Michael Roland; Rene Mayrhofer

doi:10.1145/3689944.3696169

Extending Cloud Build Systems to Eliminate Transitive Trust

Martin Schwaighofer
, Michael Roland
, Rene Mayrhofer

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

Abstract

Trusting the output of a build process requires trusting the build process itself, and the build process of all inputs to that process, and so on. Cloud build systems, like Nix or Bazel, allow their users to precisely specify the build steps making up the intended software supply chain, build the desired outputs as specified, and on this basis delegate build steps to other builders or fill shared caches with their outputs. Delegating build steps or consuming artifacts from shared caches, however, requires trusting the executing builders, which makes cloud build systems better suited for centrally managed deployments than for use across distributed ecosystems. We propose two key extensions to make cloud build systems better suited for use in distributed ecosystems. Our approach attaches metadata to the existing cryptographically secured data structures and protocols, which already link build inputs and outputs for the purpose of caching. Firstly, we include builder provenance data, recording which builder executed the build, its software stack, and a remote attestation, making this information verifiable. Secondly, we include a record of the outcome of how the builder resolved each dependency. Together, these two measures eliminate transitive trust in software dependencies, by enabling users to perform verification of transitive dependencies independently, and against their own criteria, at time of use. Finally, we explain how our proposed extensions could theoretically be implemented in Nix in the future.

Original language	English
Title of host publication	Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '24)
Place of Publication	Salt Lake City, UT, USA
Publisher	ACM
Pages	45-55
Number of pages	11
ISBN (Electronic)	9798400712401
DOIs	https://doi.org/10.1145/3689944.3696169
Publication status	Published - Oct 2024
Event	ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses - Salt Lake City, United States Duration: 18 Oct 2024 → … https://scored.dev/

Workshop

Workshop	ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses
Abbreviated title	SCORED '24
Country/Territory	United States
City	Salt Lake City
Period	18.10.2024 → …
Internet address	https://scored.dev/

Fields of science

102 Computer Sciences
102016 IT security
102038 Cloud computing
102022 Software development
102025 Distributed systems

JKU Focus areas

Digital Transformation
Sustainable Development: Responsible Technologies and Management

Access to Document

10.1145/3689944.3696169

Christian Doppler Laboratory for Private Digital Authentication in the Physical World - Digidow
Mayrhofer, R. (PI)
01.01.2020 → 31.12.2026
Project: Funded research › CDG - Christian Doppler Forschungsgesellschaft

Cite this

@inproceedings{667eb99ff642439e901cbe06dd87fec1,

title = "Extending Cloud Build Systems to Eliminate Transitive Trust",

abstract = "Trusting the output of a build process requires trusting the build process itself, and the build process of all inputs to that process, and so on. Cloud build systems, like Nix or Bazel, allow their users to precisely specify the build steps making up the intended software supply chain, build the desired outputs as specified, and on this basis delegate build steps to other builders or fill shared caches with their outputs. Delegating build steps or consuming artifacts from shared caches, however, requires trusting the executing builders, which makes cloud build systems better suited for centrally managed deployments than for use across distributed ecosystems. We propose two key extensions to make cloud build systems better suited for use in distributed ecosystems. Our approach attaches metadata to the existing cryptographically secured data structures and protocols, which already link build inputs and outputs for the purpose of caching. Firstly, we include builder provenance data, recording which builder executed the build, its software stack, and a remote attestation, making this information verifiable. Secondly, we include a record of the outcome of how the builder resolved each dependency. Together, these two measures eliminate transitive trust in software dependencies, by enabling users to perform verification of transitive dependencies independently, and against their own criteria, at time of use. Finally, we explain how our proposed extensions could theoretically be implemented in Nix in the future.",

author = "Martin Schwaighofer and Michael Roland and Rene Mayrhofer",

year = "2024",

month = oct,

doi = "10.1145/3689944.3696169",

language = "English",

pages = "45--55",

booktitle = "Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '24)",

publisher = "ACM",

note = "ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, SCORED '24 ; Conference date: 18-10-2024",

url = "https://scored.dev/",

}

Schwaighofer, M, Roland, M & Mayrhofer, R 2024, Extending Cloud Build Systems to Eliminate Transitive Trust. in Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '24). ACM, Salt Lake City, UT, USA, pp. 45-55, ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, Salt Lake City, Utah, United States, 18.10.2024. https://doi.org/10.1145/3689944.3696169

Extending Cloud Build Systems to Eliminate Transitive Trust. / Schwaighofer, Martin; Roland, Michael ; Mayrhofer, Rene.
Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '24). Salt Lake City, UT, USA: ACM, 2024. p. 45-55.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

TY - GEN

T1 - Extending Cloud Build Systems to Eliminate Transitive Trust

AU - Schwaighofer, Martin

AU - Roland, Michael

AU - Mayrhofer, Rene

PY - 2024/10

Y1 - 2024/10

N2 - Trusting the output of a build process requires trusting the build process itself, and the build process of all inputs to that process, and so on. Cloud build systems, like Nix or Bazel, allow their users to precisely specify the build steps making up the intended software supply chain, build the desired outputs as specified, and on this basis delegate build steps to other builders or fill shared caches with their outputs. Delegating build steps or consuming artifacts from shared caches, however, requires trusting the executing builders, which makes cloud build systems better suited for centrally managed deployments than for use across distributed ecosystems. We propose two key extensions to make cloud build systems better suited for use in distributed ecosystems. Our approach attaches metadata to the existing cryptographically secured data structures and protocols, which already link build inputs and outputs for the purpose of caching. Firstly, we include builder provenance data, recording which builder executed the build, its software stack, and a remote attestation, making this information verifiable. Secondly, we include a record of the outcome of how the builder resolved each dependency. Together, these two measures eliminate transitive trust in software dependencies, by enabling users to perform verification of transitive dependencies independently, and against their own criteria, at time of use. Finally, we explain how our proposed extensions could theoretically be implemented in Nix in the future.

AB - Trusting the output of a build process requires trusting the build process itself, and the build process of all inputs to that process, and so on. Cloud build systems, like Nix or Bazel, allow their users to precisely specify the build steps making up the intended software supply chain, build the desired outputs as specified, and on this basis delegate build steps to other builders or fill shared caches with their outputs. Delegating build steps or consuming artifacts from shared caches, however, requires trusting the executing builders, which makes cloud build systems better suited for centrally managed deployments than for use across distributed ecosystems. We propose two key extensions to make cloud build systems better suited for use in distributed ecosystems. Our approach attaches metadata to the existing cryptographically secured data structures and protocols, which already link build inputs and outputs for the purpose of caching. Firstly, we include builder provenance data, recording which builder executed the build, its software stack, and a remote attestation, making this information verifiable. Secondly, we include a record of the outcome of how the builder resolved each dependency. Together, these two measures eliminate transitive trust in software dependencies, by enabling users to perform verification of transitive dependencies independently, and against their own criteria, at time of use. Finally, we explain how our proposed extensions could theoretically be implemented in Nix in the future.

U2 - 10.1145/3689944.3696169

DO - 10.1145/3689944.3696169

M3 - Conference proceedings

SP - 45

EP - 55

BT - Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '24)

PB - ACM

CY - Salt Lake City, UT, USA

T2 - ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

Y2 - 18 October 2024

ER -

Extending Cloud Build Systems to Eliminate Transitive Trust

Abstract

Workshop

Fields of science

JKU Focus areas

Access to Document

Projects

Christian Doppler Laboratory for Private Digital Authentication in the Physical World - Digidow

Cite this