Using FIDO-based Authentication to Improve the Security of Software Supply Chains

抄録

Software supply chain security has relied upon layered protective measures, such as fuzzing, code signing, and secure coding, to protect against unintentional vulnerabilities and intentional tampering. Regrettably, attacks, such as Solar Winds and Log4Shell zero-day, demonstrated that current protections are insufficient. As a result, several projects have emerged, aimed at providing rigorous protections, focusing largely on dependency management, code signing, and binary file tracking. A common approach adds developer identity within the code signing ecosystem, establishing a chain of trust between developers and code-signing keys. However, these solutions depend upon external identity providers performing authentication correctly, leaving potential for account hijacking and other identity-based attacks. Mitigation is offered via monitoring and auditing, but relies on other parties to actively monitor for anomalies. In this paper, we propose and evaluate a FIDO-based extension to the Sigstore system, which would embed authentication data into the signing process, providing end-users with added identity assurance, complementing Sigstore's key-to-identity mapping. By providing attestation information to increase authentication strength, we can potentially issue longer lifetime developer certificates, reducing the overall number, for a more scalable system. We also perform a basic evaluation to demonstrate that our improvements can be implemented feasibly with minimal changes to Sigstore.