• Corpus ID: 235485489

Hardware-Enforced Integrity and Provenance for Distributed Code Deployments

  title={Hardware-Enforced Integrity and Provenance for Distributed Code Deployments},
  author={Marcela S. Melara and Mic Bowman},
Distributed code deployments today rely very heavily on a complex series of transformation and inspection operations, called the software supply chain, for the creation of an executable bundle that is run at a cloud provider. For example, a compilation tool transforms one or more input software artifacts (i.e., source code files and shared libraries) generating one or more output artifacts (i.e., bytecode or binary files, other shared libraries, container images). These may then subsequently be… 


in-toto: Providing farm-to-table guarantees for bits and bytes
In-toto is a framework that cryptographically ensures the integrity of the software supply chain and grants the end user the ability to verify the software’s supply chain from the project’'s inception to its deployment.
Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
A comparative framework to qualitatively assess the functional and security features of package managers for interpreted languages is proposed and well-known program analysis techniques such as metadata, static, and dynamic analysis are applied to study registry abuse.
Malware in the SGX Supply Chain: Be Careful When Signing Enclaves!
It is shown in the current article that a simple malware attack exploiting a separation between the build and signing processes can have a serious damaging impact, practically nullifying SGX integrity protection measures.
Innovative instructions and software model for isolated execution
This paper analyzes the threats and attacks to applications, then describes the ISA extension for generating a HW based container, and describes the programming model of this container.
Faasm: Lightweight Isolation for Efficient Stateful Serverless Computing
Faaslets, a new isolation abstraction for serverless big data computing, is introduced and it is shown that, when training a machine learning model, it achieves a 2x speed-up with 10x less memory; for serving machine learning inference, Faasm doubles the throughput and reduces tail latency by 90%.
Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks
This paper presents a dataset as well as analysis of 174 malicious software packages that were used in real-world attacks on open source software supply chains and which were distributed via the popular package repositories npm, PyPI, and RubyGems.
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
It is shown that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target, and how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.
Vulnerabilities in Continuous Delivery Pipelines? A Case Study
It is found that the team members that work with the CD pipeline in different roles do not have a strong security background but are aware of security attributes in general, and 22 vulnerabilities that have been confirmed by the project teams are identified.
Security of public continuous integration services
To eliminate one class of attack vectors, the paper describes a concept that encapsulates a part of the CI system via virtualization, and is implemented as a proof of concept.
From Security to Assurance in the Cloud
The notion of cloud security assurance is introduced and its growing impact on cloud security approaches is analyzed and some recommendations for the development of next-generation cloud security and assurance solutions are presented.