Researchers deploy tool for securing the software supply chain
Marie Donlon | December 22, 2020A team of researchers from New York University’s Tandon School of Engineering has launched the first version of its open-source tool to prevent cyberattacks on supply chain software.
In-toto, which has been in development since 2016, is a free framework that cryptographically safeguards the software supply chain against attack, ensuring that each process step involved in the development of software — writing, testing, packaging and development — is safe from attack or the insertion of malicious code that can compromise finished products.
"As it moves from development to testing to packaging, and finally to distribution, a piece of software passes through a number of hands," explained Santiago Torres-Arias, a former Ph.D. student at NYU Tandon who helped to create In-toto, now a professor at Purdue University. "By requiring that each step in this chain conforms to the layout specified by the developer, it confirms to the end-user that the product has not been altered for malicious purposes, such as by adding backdoors in the source code."
As such, In-toto allows each company or organization to designate protocols to follow at each step of software development. Once completed, In-toto amasses link metadata, which are statements that are cryptographically verifiable, confirming that the step was completed according to the agreed-upon protocols. This process thwarts a common security challenge encountered in the software supply chain wherein it is difficult to locate malicious activity enacted during a specific point during development or packaging and not occurring during the transition from step to step. The link metadata enables improved control over software development, which ensures that in the event a step is compromised, the threat can be located and thwarted.
For more information, watch the accompanying video detailing the tool as it was first presented in August 2019 at the USENIX Security Symposium. The research is also detailed in a corresponding article: "In-toto: Providing farm-to-table guarantees for bits and bytes."
