NJIT Researchers Help Prevent Cyberattacks From Software Supply Chain

An open-source tool that cryptographically protects the layout of your software code supply chain is now available from researchers at NJIT, New York University and Purdue University, bolstering the type of weakness exploited in the recent cyberattack on the commercial SolarWinds monitoring application used by the U.S. government.

The new tool, called in-toto, was developed by NJIT Professor Reza Curtmola, NYU Associate Professor Justin Cappos and Purdue Assistant Professor Santiago Torres-Arias. Now in version 1.0, it focuses on safeguarding the steps to design, develop and distribute software. Its name is derived from the Latin term meaning "on the whole."

The SolarWinds cyberattack has exposed a long-held concern over the supply chain of code production and maintenance, which can involve many developers across different departments.

Multiple handoff points provide opportunities for malicious code to be inserted.

"The in-toto project started in 2015, when DARPA picked NJIT as a prime contractor for this effort, with NYU as a subcontractor. I commend Dr. Angelos Keromitys, a DARPA program manager at the time, who had the vision to fund the project. As the project matured over the years, it has been hosted as a Linux Foundation project and gained significant traction with several major open source communities,” Curtmola said.

Curtmola explained how it works. Software developers create rules and protocols that must be followed, assigning steps to specific people. When a step is complete, in-toto gathers metadata documenting that each step was performed correctly and in compliance with the rules. This addresses a weak point in most supply chains — the introduction of malicious content during the different steps and the packaging and updating processes, which can be difficult to identify in complex projects. With in-toto’s augmented capabilities, organizations can identify cyberattacks or compromised code before a finished software product is delivered to users. 

In addition to securing the software supply chain as a whole, in-toto also seeks to improve the security of the chain's individual steps. In particular, in-toto focuses on the source code management and the code review steps.

Modern software development uses a version control system to manage source code. Git, the most popular version control system, has been vulnerable to attacks that manipulate Git metadata to provide developers with inconsistent and incorrect views of the source code repository. The impact of such attacks can be significant, including the omission of security patches, the introduction of untested code into a production branch and even the inadvertent installation of software containing known vulnerabilities. 

in-toto can make an immediate positive difference in the security of those critical processes.

Cyberattacks are designed to be subtle intrusions, leaving no trace after their execution, and there is little that software developers can do beyond damage control once their software has been attacked. To help improve security for the millions of software developers who use and depend on Git, its maintainers introduced patches developed as part of the in-toto project into the production versions of Git 2.9, 2.12 and 2.14.

“It is surprising that popular code review systems used by both large corporations such as Microsoft, Google and Facebook, and by smaller organizations, do not incorporate explicit safeguards against tampering with the code review process,” said Curtmola. “The code review process itself and the code review policies have become attractive targets in a growing trend of attacks against the software development chain, yet they are not adequately protected. in-toto can make an immediate positive difference in the security of those critical processes.”

Curtmola and his colleagues introduced in-toto to the software development community at the August 2019 USENIX Security Symposium. The paper, in-toto: Providing farm-to-table guarantees for bits and bytes is publicly available.

Their project is supported by the National Science Foundation. Developers wishing to utilize it may do so freely at https://in-toto.engineering.nyu.edu.