Securing Debian Software Updates with Skipchains and Verified Builds

Speaker: Kirill Nikitin

Track: Security

Type: Short talk (20 minutes)

Software-update mechanisms are critical to the security of modern computer systems because their compromise, often caused by a typically centralized design, can jeopardize the security and privacy of thousands of end users. A compromise of a single signing key, a compromise of a build server, or a stealthy modification of a source code can all result in a backdoor being planted in a release binary.

In this talk, we present CHAINIAC, a decentralized software-update framework that eliminates single points of failure, enforces transparency, and provides efficient verifiability of software releases. Independent witness servers collectively verify conformance of software updates to release policies, build verifiers validate the source-to-binary correspondence, and a tamper-proof release log stores collectively signed updates, thus ensuring that no release is accepted by clients before being widely disclosed and validated. The framework is specifically designed for the platforms like Debian, with open-source packages, a focus on reproducible compilation and a central update repository. We evaluate CHAINIAC on Debian reproducible packages showing that the secured update process takes the average of 5 minutes per release for individual packages, and only 20 seconds for the state of the whole repository, which shows the framework feasible for the real-world deployment.

This talk is primarily targeted at Debian developers and aims at presenting a new systematic approach for securing software-update repositories, with the hope that the best of this approach will be fully or, at least, partially incorporated into the Debian infrastructure. The corresponding scientific paper has been published at Usenix Secuirty’17 and can be found online.