000229405 001__ 229405
000229405 005__ 20190812205952.0
000229405 020__ $$a978-1-931971-40-9
000229405 037__ $$aCONF
000229405 245__ $$aCHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds
000229405 269__ $$a2017
000229405 260__ $$bUSENIX Association$$c2017
000229405 336__ $$aConference Papers
000229405 520__ $$aSoftware-update mechanisms are critical to the security of modern systems, but their typically centralized design presents a lucrative and frequently attacked target. In this work, we propose CHAINIAC, a decentralized software-update framework that eliminates single points of failure, enforces transparency, and provides efficient verifiability of integrity and authenticity for software-release processes. Independent witness servers collectively verify conformance of software updates to release policies, build verifiers validate the source-to-binary correspondence, and a tamper-proof release log stores collectively signed updates, thus ensuring that no release is accepted by clients before being widely disclosed and validated. The release log embodies a skipchain, a novel data structure, enabling arbitrarily out-of-date clients to efficiently validate updates and signing keys. Evaluation of our CHAINIAC prototype on reproducible Debian packages shows that the automated update process takes the average of 5 minutes per release for individual packages, and only 20 seconds for the aggregate timeline. We further evaluate the framework using real-world data from the PyPI package repository and show that it offers clients security comparable to verifying every single update themselves while consuming only one-fifth of the bandwidth and having a minimal computational overhead.
000229405 700__ $$0250295$$g233255$$aNikitin, Kirill
000229405 700__ $$0250278$$g254967$$aKokoris Kogias, Eleftherios
000229405 700__ $$0249578$$g264772$$aJovanovic, Philipp Svetolik
000229405 700__ $$aGasser, Linus
000229405 700__ $$0250934$$g195531$$aGailly, Nicolas
000229405 700__ $$aKhoffi, Ismail
000229405 700__ $$aCappos, Justin
000229405 700__ $$0249220$$g257875$$aFord, Bryan Alexander
000229405 7112_ $$dAugust 16-18, 2017$$cVancouver, BC, Canada$$a26th Usenix Security Symposium
000229405 773__ $$tProceedings of the 26th Usenix Security Symposium$$q1271-1287
000229405 8564_ $$zURL$$uhttps://youtu.be/xpT6L8htINU
000229405 8564_ $$zPreprint$$yPreprint$$uhttps://infoscience.epfl.ch/record/229405/files/usenixsec17-final.pdf$$s961467
000229405 909C0 $$xU13061$$pDEDIS$$0252572
000229405 909CO $$ooai:infoscience.tind.io:229405$$qGLOBAL_SET$$pconf$$pIC
000229405 917Z8 $$x233255
000229405 917Z8 $$x233255
000229405 917Z8 $$x233255
000229405 937__ $$aEPFL-CONF-229405
000229405 973__ $$rREVIEWED$$sPUBLISHED$$aEPFL
000229405 980__ $$aCONF