Cybersecurity Researcher at NJIT Toughens Git Software Repositories

Git, the most common protocol for computer programmers to keep track of their code, is becoming more secure because of software jointly developed by researchers at New Jersey Institute of Technology and New York University.
Git underpins services such as GitHub, which alone has more than 100 million active users worldwide. But there have been security concerns over the years, and one problem is that Git-based systems rely on centralized administration requiring users to trust without the ability to verify, NJIT computer science professor Reza Curtmola explained.
Curtmola and his NYU peers — professor Justin Cappos, along with graduate students Aditya Yelgundhalli and Patrick Zielinski — won a Distinguished Paper award for their new work, Rethinking Trust in Forge-Based Git Security, in February at the Internet Society’s Network and Distributed System Security symposium in San Diego.
Their paper describes new open-source software called Gittuf — stylized with a lowercase ‘g’ when used in the developer community. The software distributes responsibility for a code repository’s policies and administration, so that nobody is trusted unilaterally. For example, it decentralizes repository tracking, so no one person can manipulate the logs of who did what and when. It also decentralizes policy enforcement, by enabling all users to independently verify whether changes are authorized.
Gittuf is named because it borrows concepts from TUF — The Update Framework — and is a joke about getting tough on security.
“We've been trying to improve both the security of the entire software supply chain, but also the security of individual steps,” Curtmola said. “This [time] it’s about improving the security of the Git version control system. It’s one of the important steps.
“It can be the case that the actual Git server is compromised and the attacker can do bad things. It can simply be a benign error, like a software bug which can lead to problems. And in both cases the fact that you unconditionally trust this third party without being able to verify any of its actions, from a security point of view, it’s a bad idea.
“They can just edit the policy, granting themselves certain privileges, do some bad things, and then revert the policy to how it was before, making this very hard to track. … Regarding the activity log, a compromised Git server can do all kinds of bad things there, and users don't have a way to independently verify the integrity of this activity log. You just have to trust.”
Curtmola is optimistic that Gittuf, if widely adopted, will substantially reduce these risks. “This whole framework was designed so that it makes adoption as easy as possible. Of course, we cannot expect people to change the way they develop software only to use this. Because of that, we had to by design make it as usable as possible.
“While we see some adoption of this, obviously in the real world, you have scenarios where there will be both regular Git users and Gittuf users. So you have this combination of a mix of users … We need to understand a bit better what happens from a security point of view and if there are any issues to fix.”
In the research paper, Curtmola and colleagues explained that future work includes support for sharing Gittuf roots across multiple code repositories, removing the dependence for synchronization points and expanding a metadata layer for integration with other security efforts.
Dennis Roellke, a security architect at Bloomberg, is leading a Gittuf pilot project in various departments of the financial news and information company. His primary job responsibility is to ensure the integrity of the software supply chain throughout different groups.
In the company’s 40-plus years of delivering information to clients across the global financial industry, Bloomberg has seen its software evolve from entirely home-grown systems programmed in Fortran, to modern distributed systems. Today the company has billions of lines of code that use a gamut of programming languages, primarily C++, Python, and JavaScript/TypeScript.
In the last 15 years, "As we’ve moved away from maintaining proprietary software infrastructure towards us using and contributing to open source infrastructure, everyone has benefited,” explained Roellke. "Gittuf helps encourage open-source adoption by providing source code integrity guarantees that can be verified independently, by anyone – and it can be used by developers to build trust in their own projects."
Roellke said his team is continuing to scale up its Gittuf interfaces for use by larger and more varied teams of engineers inside Bloomberg. That's a real-world problem like the kind Curtmola knows exists.
“All of these problems in the software supply chain are extremely easy in isolation. If we want to secure GitHub only, done. If we want to secure the Python infrastructure ecosystem, done. It's not even worth thinking about it. Some professors get bored when you even bring this up,” Curtmola said. But doing this for multiple forges consistently, and over multiple programming language ecosystems consistently, is an unsolved challenge. So that's what I would really like the world to understand.
“Developers will have to install some software, and slightly change the way they do things,” perhaps getting used to a few extra milliseconds to upload code, Curtmola observed. “But at the end of the day, it's not that bad. So I think it's mostly an administrative or political decision. If an organization really values its security and wants to be protected against this threat model — this strong adversary that we're considering — then the benefits far outweigh whatever small cost.”