in-toto / ite Goto Github PK

in-toto Enhancements

License: Other

ite's Introduction

in-toto

in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.

in-toto requires a project owner to create a layout. A layout lists the sequence of steps of the software supply chain, and the functionaries authorized to perform these steps. When a functionary performs a step in-toto gathers information about the used command and the related files and stores it in a link metadata file. As a consequence link files provide the required evidence to establish a continuous chain that can be validated against the steps defined in the layout.

The layout, signed by the project owners, together with the links, signed by the designated functionaries, are released as part of the final product, and can be validated manually or via automated tooling in, e.g. a package manager.

Getting Started

Installation

in-toto is available on PyPI and can be installed via pip. See in-toto.readthedocs.io to learn about system dependencies and installation alternatives and recommendations.

pip install in-toto

Create layout, run supply chain steps and verify final product

Layout

The in-toto software supply chain layout consists of the following parts:

expiration date
readme (an optional description of the supply chain)
functionary keys (public keys, used to verify link metadata signatures)
signatures (one or more layout signatures created with the project owner key(s))
software supply chain steps correspond to steps carried out by a functionary as part of the software supply chain. The steps defined in the layout list the functionaries who are authorized to carry out the step (by key id). Steps require a unique name to associate them (upon verification) with link metadata that is created when a functionary carries out the step using the in-toto tools. Additionally, steps must have material and product rules which define the files a step is supposed to operate on. Material and product rules are described in the section below.
inspections define commands to be run during the verification process and can also list material and product rules.

Take a look at the demo layout creation example for further information on how to create an in-toto layout.

Artifact Rules

A software supply chain usually operates on a set of files, such as source code, executables, packages, or the like. in-toto calls these files artifacts. A material is an artifact that will be used when a step or inspection is carried out. Likewise, a product is an artifact that results from carrying out a step.

The in-toto layout provides a simple rule language to authorize or enforce the artifacts of a step and to chain them together. This adds the following guarantees for any given step or inspection:

Only artifacts authorized by the project owner are created, modified or deleted,
each defined creation, modification or deletion is enforced, and also
restricted to the scope of its definition, which chains subsequent steps and inspections together.

Note that it is up to you to properly secure your supply chain, by authorizing, enforcing and chaining materials and products using any and usually multiple of the following rules:

CREATE <pattern>
DELETE <pattern>
MODIFY <pattern>
ALLOW <pattern>
DISALLOW <pattern>
REQUIRE <file>
MATCH <pattern> [IN <source-path-prefix>] WITH (MATERIALS|PRODUCTS) [IN <destination-path-prefix>] FROM <step>

Rule arguments specified as <pattern> allow for Unix shell-style wildcards as implemented by Python's fnmatch.

in-toto's Artifact Rules, by default, allow artifacts to exist if they are not explicitly disallowed. As such, a DISALLOW * invocation is recommended as the final rule for most step definitions. To learn more about the different rule types, their guarantees and how they are applied, take a look at the Artifact Rules section of the in-toto specification.

Carrying out software supply chain steps

in-toto-run

in-toto-run is used to execute a step in the software supply chain. This can be anything relevant to the project such as tagging a release with git, running a test, or building a binary. The relevant step name and command are passed as arguments, along with materials, which are files required for that step's command to execute, and products which are files expected as a result of the execution of that command. These, and other relevant details pertaining to the step are stored in a link file, which is signed using the functionary's key.

If materials are not passed to the command, the link file generated just doesn't record them. Similarly, if the execution of a command via in-toto-run doesn't result in any products, they're not recorded in the link file. Any files that are modified or used in any way during the execution of the command are not recorded in the link file unless explicitly passed as artifacts. Conversely, any materials or products passed to the command are recorded in the link file even if they're not part of the execution of the command.

See this simple usage example from the demo application for more details. For a detailed list of all the command line arguments, run in-toto-run --help or look at the online documentation.

in-toto-record

in-toto-record works similar to in-toto-run but can be used for multi-part software supply chain steps, i.e. steps that are not carried out by a single command. Use in-toto-record start ... to create a preliminary link file that only records the materials, then run the commands of that step or edit files manually and finally use in-toto-record stop ... to record the products and generate the actual link metadata file. For a detailed list of all command line arguments and their usage, run in-toto-record start --help or in-toto-record stop --help, or look at the online documentation.

Release final product

In order to verify the final product with in-toto, the verifier must have access to the layout, the *.link files, and the project owner's public key(s).

Verification

Use in-toto-verify on the final product to verify that

the layout was signed with the project owner's private key(s),
has not expired,
each step was performed and signed by the authorized functionary,
the functionaries used the commands, they were supposed to use,
materials and products of each step were in place as defined by the rules, and
run the defined inspections

For a detailed list of all command line arguments and their usage, run in-toto-verify --help or look at the online documentation.

Signatures

in-toto-sign is a metadata signature helper tool to add, replace, and verify signatures within in-toto Link or Layout metadata, with options to:

replace (default) or add signature(s), with layout metadata able to be signed by multiple keys at once while link metadata can only be signed by one key at a time
write signed metadata to a specified path (if no output path is specified, layout metadata is written to the path of the input file while link metadata is written to <name>.<keyid prefix>.link)
verify signatures

This tool serves well to re-sign test and demo data. For example, it can be used if metadata formats or signing routines change.

For a detailed list of all command line arguments and their usage, run in-toto-sign --help or look at the online documentation.

in-toto demo

You can try in-toto by running the demo application. The demo basically outlines three users viz., Alice (project owner), Bob (functionary) and Carl (functionary) and how in-toto helps to specify a project layout and verify that the layout has been followed in a correct manner.

Specification

You can read more about how in-toto works by taking a look at the specification.

Security Issues and Bugs

See SECURITY.md.

Governance and Contributing

For information about in-toto's governance and contributing guidelines, see GOVERNANCE.md and CONTRIBUTING.md.

Acknowledgments

This project is managed by Prof. Santiago Torres-Arias at Purdue University. It is worked on by many folks in academia and industry, including members of the Secure Systems Lab at NYU and the NJIT Cybersecurity Research Center.

This research was supported by the Defense Advanced Research Projects Agency (DARPA), the Air Force Research Laboratory (AFRL), and the US National Science Foundation (NSF). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA, AFRL, and NSF. The United States Government is authorized to reproduce and distribute reprints notwithstanding any copyright notice herein.

ite's People

Contributors

Stargazers

Watchers

Forkers

santiagotorres lukpueh trishankatdatadog adityasaky marklodato tomhennen joshuagl mikhailswift reza-curtmola dentrax pinkdiamond1 pxp928 kingjay66 nmiyake

ite's Issues

ITE-6: Route to Acceptance

ITE-6 was merged as draft quite some time ago and we've seen in-toto attestations pop up in a number of contexts (SLSA Provenance, SBOM specific ones, SCAI, runtime traces, Alpha Omega scan results, and more!). The last couple of in-toto community meetings have discussed accepting it, and this thread is a formal request for comments before ITE-6 is accepted. Also note, #40 was opened to bring the ITE up to shape for acceptance, please use that version of the document.

Please add license to this repo

Hello! I would like to contribute an ITE pull request, but I am unable to do so because this repo lacks a license. Could you please add a LICENSE file and a note in the README? Thanks!

Multi Factor / 2FA support

Security would be improved if a second factor was required to sign at each stage.

For example, NPM allows requiring 2FA for package uploads and Apple requires macOS developers to use a second factor when signing packages for the Apple app store.

ITE-4: Limiting scope of generic URIs to static resources

In a review of PR #6 for ITE-4, @JustinCappos raised some important points about situations where the URIs (that the ITE describes) point to dynamic resources. The Security section of the draft highlights that care must be taken when recording dynamic contents. The suggestion is that this ITE should instead limit the use of generic URIs to static resources. I'm now working on identifying the impact this will have on some of the use cases that motivated this ITE.

Original discussion thread (for context): #6 (comment)

cc @SantiagoTorres @trishankatdatadog @lukpueh

Propose ITE for how to best integrate in-toto + TUF

A recommendation ITE that explains how to best integrate in-toto + TUF would be useful to guide users who want to use both technologies together.

ITE-5: Add GPG header to old signature envelope spec

#35 added the old signature wrapper specification to ITE-5's appendix. However, it lacks mention of the other_headers field used when signing with GPG keys.

ITE-2: Route to acceptance

Based on conversations with @trishankatdatadog.

ITE-2 was merged as a draft back in May 2020. With ITE-3 now accepted as of #25, it is probably a good time to discuss if ITE-2 is ready for acceptance as well. ITE-2 discusses a standard method of combining in-toto and TUF to build compromise resilient CI/CD systems, and ITE-3 discusses a practical implementation of this system at Datadog.

ITE-2: https://github.com/in-toto/ITE/blob/master/ITE/2/README.adoc

ITE-3: Route to acceptance

Based on conversations with @trishankatdatadog.

ITE-3 was merged as a draft back in May 2020. I'll let Trishank weigh in, but essentially it looks like this ITE is stable and can be considered for acceptance, especially since it talks about Datadog's specific integration of TUF and in-toto. Based on people's thoughts about this one, we can also potentially revisit ITE-2 soon.

ITE-3: https://github.com/in-toto/ITE/blob/master/ITE/3/README.adoc

ITE-5: Route to acceptance

ITE-5 was merged as draft back in May. We believe it's now time to discuss what needs to happen before it can be accepted. Since it was merged as draft, the signing specification it recommends has been renamed as DSSE (https://github.com/secure-systems-lab/dsse), and has also seen a v1.0 release! Therefore, it seems like the right time to move ITE-5 along.

ITE-5: https://github.com/in-toto/ITE/blob/master/ITE/5/README.adoc

ITE-7: Route to acceptance

ITE-7 was merged as draft back in February. Considering there's implementation support for it in in-toto-golang, this ITE is at a point where we can consider it for acceptance. The ITE has been stable for some time now, as has its implementation. Are there any outstanding issues that need to be addressed first?

ITE-5: Consider JWS

ITE-5 proposes to change the signature envelope to the SSL Signing Spec. I think this definitely improves on the previous scheme used by in-toto but given that the referenced spec is not an industry standard and no library ecosystem exists for it I wanted to open the discussion on why JWS was rejected.

ITE-5 says "Alternatives such as JWS are extremely complex and error-prone". While there is some truth to it I think it is a bit of an extreme statement, and most issues are not a practical problem anymore in my opinion. I found https://www.scottbrady91.com/JOSE/Alternatives-to-JWTs to be a good objective read on this topic.

ITE-5 also says "Both are also JSON-specific" which I guess is meant to say that it would be preferable if the envelope is not JSON-specific. SSL Signing Spec currently has a single authenticated header field which is the payload type. An optional Key ID is supported as unauthenticated field. The combination of not using JSON and not base64-encoding the payload and authenticated header for signing allows to use other envelope formats than JSON in their native and most efficient form. In principle, I like this, but in practice it requires that any future additional authenticated or unauthenticated header fields have to be specifically supported by all envelope formats, since there is no automatic mapping. In contrast, JWS defines its header as JSON which makes it extendable without changing the spec, at the expense of being dependent on JSON. It would be nice if JWS would not base64-encode the header and payload before signing, but this is a side issue I think. The central concern I have is the extendable header.

As an aside, not being JSON-specific in the envelope doesn't remove the JSON dependence in the payload. If certain scenarios require a more efficient encoding of signed in-toto statements then I think this has to be considered across all layers. I could image that certain constrained environments would be more happy with a fully binary signed statement rather than a mix of binary and JSON. An example could be a policy engine running on a microcontroller. I could imagine that for this use case a combination of COSE (CBOR equivalent of JWS) and CBOR-encoded in-toto statements (which would have a different media type than it's JSON counterpart) would work. It requires the statement creator to be aware of this but this is an acceptable compromise in those situations I think and can be solved with tooling.

In summary, I want to open up the discussion of using JWS Compact (this is what JWTs are based on) as primary envelope for in-toto statements.

JWS Compact does not support multiple signatures, but I think this is not an issue (more a legacy issue with the older in-toto spec). In practice, claims should be signed by a single party. Even if multiple parties want to sign, then those should be separate documents, since most likely they have slightly different claims. Counter-signing is possible by referencing another in-toto statement as subject in an I-approve-this predicate type.

The JWS header has the following standard fields to represent the payload type and optional key id:

"cty" which is a media type, e.g. application/vnd.in-toto+json
"kid" which is a key id, e.g. ad91970864102a59765e

For my own scenarios I would additionally include a non-standard field for the issuer to facilitate key discovery:

"issuer" which can for example be a Decentralized Identifier, e.g. did:web:letmaik.github.io (resolving to my DID doc)

Possible ITE: Resolve attestation references during verification

Some ITE-6 attestations like SCAI and VSA can reference other attestations. During verification, it may be necessary to resolve these references and apply rules against the target attestations.

Existing work: @marcelamelara has prototyped some support for this attestation resolving behaviour for SCAI. As a next step, we should generalize this for resolving references in all predicates and formally specify how it works. This may require a new ITE, alongside ITEs 10 and 11 which update the layout schema to support attestations.

This was first raised by @MarkLodato during a review of ITE-11: #50 (comment)

ITE-11 Feature Requests

This issue collects feature requests / suggestions for ITE-11.

Debug / error messages for attribute check failures

Proposed by @MarkLodato in https://github.com/in-toto/ITE/pull/50/files#r1344473474.

A raw list of CEL expressions might be a bit limiting. If something fails, it's difficult to present a clear error message of what went wrong. You might want to have a field for error messages. (Similarly, giving each an optional name might make it more readable.)

For example:

expectedAttributes:
  - name: builderId
    require: "predicate.runDetails.builder.id == 'https://example.com/myBuilder'"
    errorMessage: '"Unexpected builder.id: expected \"https://example.com/myBuilder\", got " + predicate.runDetails.builder.id'
  - name: repository
    require: "predicate.externalParameters.repository == '<expected value>'"
    errorMessage: '...'

Cross-step / predicate attribute checks

Proposed by @trishankatdatadog.

Right now, attribute checks are applied against the predicate / step they are specified for. The idea is to have checks that cut across a step or predicate.

ITE-9: Route to acceptance

ITE-9's been in draft status for some time now, and has also been used to propose some new predicates, most recently the vuln scan results one. The attestation framework spec has some guidance on proposing new predicate specifications but also points to ITE-9. I propose moving the template for a predicate proposal and so on into the in-toto/attestation and moving forward with ITE-9's acceptance. I believe the ITE has served its purpose in establishing a process for defining predicates and we can now carry that forward in the attestation framework without requiring the ITE to be a living document.