Spring 2016 Colloquium: Securing the Software Supply Chain


Dr. Justin Cappos, New York University

Title: Securing the Software Supply Chain

Abstract: The software supply chain is the series of steps required to transform materials (e.g., source code), into a final product that serves a specific purpose for end users (e.g., an executable binary). Generally, a software supply chain will consist of multiple steps, such as complication, testing, and packaging, to create a final product.

Any compromise in the software supply chain can be impactful. By modifying the materials or products of one step in the chain, the attacker can create a vulnerable final product (e.g., by adding a backdoored binary). Given this, attackers can break into popular software supply chains in order to compromise a large number of hosts.

This talk introduces in-toto, a set of tools that ensure the integrity of the supply chain as a whole. In-toto grants the end user the ability to verify the integrity of the project from inception to the installation in their device. In-toto is being used in production by several open source projects. This talk will include a live demonstration of the in-toto software.

Bio: Justin Cappos is a tenure-track assistant professor in the Computer Science and Engineering department at New York University. Justin's research philosophy focuses on improving real world systems, often by addressing issues that arise in practical deployments.

His dissertation work was on Stork, the first package manager designed for environments that use operating system virtualization, such as cloud computing. Improvements in Stork, particularly relating to security, have been widely adopted and are used on the majority of Linux systems. His research has also been adopted into production use in a variety of other widely used software including git, Python, and Docker. More information is available at https://ssl.engineering.nyu.edu/personalpages/jcappos/

Date: Tuesday, March 21, 5pm

Location: ENGR 103

Pizza will be provided!