logo
allArticlesConferencesPresentations

In-Toto: Attestations and More for Software Supply Chain Security

Conference:  KubeCon + CloudNativeCon Europe 2023

2023-04-20

Authors:   Aditya Sirish A Yelgundhalli

Summary

The presentation discusses the use of the update framework (TUF) and the attestation framework (I10) in securing the software supply chain. It also introduces the witness project and its tools to simplify the creation and consumption of attestations.
  • TUF and I10 are complementary projects that can be used together to secure the software supply chain
  • TUF allows for the use of metadata to associate internal metadata with the artifact being distributed from the repository
  • I10 provides enhanced capabilities for layouts that allow for the verification of the software supply chain execution
  • Witness is a community-driven open source implementation of TUF that focuses on indoor attestations
  • Witness has developed tools such as the witness run action and the policy tool to simplify the creation and consumption of attestations
The presenter mentions a runtime trace predicate that captures the runtime trace of a build and sets a constraint examining that trace to see if any network calls were made during the build process. This helps ensure that the build was performed in an environment without outbound calls and other potential security risks.

Abstract

in-toto is a framework that secures software supply chains. The last couple of years have seen significant changes to in-toto, most notably the introduction of the in-toto Attestation framework. Today, many systems like Jenkins, Tekton Chains, Sigstore, and rebuilderd can generate in-toto attestations. SLSA recommends using in-toto as well, and GUAC was designed to visualize and process metadata like attestations. in-toto is also integrated with other CNCF projects like Keylime and SPIFFE/SPIRE. This talk will focus on several key efforts that are currently underway. First, we will show off how in-toto layouts (policies) can be used to verify attestations. Next, we will discuss our efforts to collate attestation types so as to map information captured in different types and their hierarchy. Finally, we will present a recap of other activities in the in-toto project like changes to implementations, usability enhancements, updates to integrations with systems mentioned above, and more!
Materials:
Tags:
software supply chains
Security
in-toto
CNCF
attestations

Post a comment

Related work

Road to SLSA3: Non-falsifiable Provenance in Tekton with SPIFFE/SPIRE

Conference:  SupplyChainSecurityCon 2022
Authors: Brandon Lum, Parth Patel
2022-06-21

Achieving End-To-End Software Supply Chain Security With in-toto - Santiago Torres

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Santiago Torres-Arias, Aditya Sirish A Yelgundhalli
2022-10-26

Securing Your Container Native Supply Chain with SLSA, Github and Tekton

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Priya Wadhwa, Laurent Simon
2022-05-19

SLSA FRSCA Recipe For Secure Supply Chain

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Michael Lieberman, Parth Patel
2022-10-26

Securing the IaC Supply Chain

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Jesse Sanford, Jason Hall
2022-10-26

Building SLSA 3 Conforment Attestors for Artifacts Generated on GitHub

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Ian Lewis, Asra Ali
2023-04-21