filmov
tv
Mitigating attack on Software Supply Chain using GOSH Docker Extension
Показать описание
We woke up on Wednesday, August 3rd to the news of another major hack perpetrated against the users of a number of major blockchain networks. Just as we were finishing up our breakfast, we caught wind that dozens of thousands of GitHub repositories were affected by a malware attack.
Unfortunately, events like these are becoming ever more common. However, this doesn't be the case. Why? The short answer: The GOSH Docker Extension; a tool built to Secure the Software Supply chain. For the long answer, we offer this post; a specific explanation of how the attack that occurred over the last 24 hours could not happen on GOSH.
• Container Verification
One of the more basic ways GOSH repositories are protected against the attack is through a Decentralized Name Service (DeNS). It's a fast and secure tool to name artifacts in the blockchain in a serverless way. Therefore, when a user is looking for a repository on GOSH, provided they write the name correctly, they can be sure they'll see the correct repository. This is because GOSH is a content addressable blockchain. An attacker has absolutely no way to circumvent this link, and no DeNS attack is possible, because there are no servers involved in name resolving. Easy checks can be created within CI/CD or any other Gosh automation scripts (more on that below). Also, the search can be built with security features, such as decentralized developer certification (think NFT) verification.
Likewise, using GOSH means you can easily build an automated check that the repository you build from is a repository from GOSH. The GOSH Docker Extension signs code from commit up to the container image by default. This is one of the advantages of storing git on the blockchain. It's impossible to interject into this flow any other third-party code, build, or script.
• Signatures
There is one major difference between the worlds of centralized and decentralized cryptography. The latter is built specifically so that developers don’t need to trust anyone to carry out any operation, commit, transaction, or centralized keys’ certificates verification.
On GOSH every commit is signed by a private key. This allows developers to verify the identity of each contributor on any repository in a completely trustless fashion. Developers can verify that they're not building from any repository other than the repository they trust. It's clear whether a repository is cloned or the original, meaning attacks through false attribution won’t work.
• Decentralized Autonomous Organizations (DAOs)
Social engineering is a major part of how this last attack was perpetrated. How many times do we accept PRs that we don’t fully understand? Many very routine aspects of code are often left unchecked. However, on GOSH repositories are DAOs. This means repositories don't have a single owner. There are many reviewers of any commit, and for a commit to be accepted, the contributors of the repository vote.
Humans make mistakes, but every additional pair of eyes exponentially reduces the vulnerability of code. DAO governance forces at least some members to always participate. And if any member doesn’t understand or doesn’t agree with a change, they can vote against it.
The DAO voting process means third parties that don’t belong to an organization cannot exploit many of the loopholes open today. GOSH doesn’t just secure the delivery of code through technical means but also through governance.
• CI/CD
With the push of a button, repository contributors can Formally Verify their Smart Contracts. This is thanks to the amazing work of GOSH partner Pruvendo. All of the above allows developers to rest easy in the knowledge that there are no bugs anywhere in their Software Supply Chain.
GOSH is the first ever platform to verify the correctness not only of code but of the whole Software Supply Chain.
• Speaker:
Mitja Goroshevsky, GOSH Co-founder.
--
Join the conversation!