Visible to the public SaTC: TTP: Medium: Collaborative: Securing the Software Supply ChainConflict Detection Enabled

Project Details

Lead PI

Performance Period

Jul 01, 2018 - Jun 30, 2021


New Jersey Institute of Technology

Award Number

Making modern software involves tools such as a source code management system, a verify/build/package system, and a repository for distributing software and updates. The security of this software chain is dramatically overlooked today, as many recent incidents demonstrate. Existing defenses provide piecemeal solutions to individual problems and, when combined, do not provide end-to-end guarantees.

This project seeks to transition into widespread practical use a system called "in-toto", which provides insights and end-to-end guarantees about the software supply chain. in-toto protects software from the moment it is written by a developer and ensures that the chain of trust can be followed all the way to the software that gets installed on user devices. In-toto generates cryptographically signed metadata for each step in the chain, and links together and carries these metadata throughout the entire chain.

The salient positive impact comes from making the software development process transparent and publicly verifiable. in-toto provides a natural way to make the code review and testing practices publicly visible, thus incentivizing developers to follow safe software practices. Through ongoing and future collaborations, in-toto is being integrated into several large software projects that will positively impact millions of computers.