Software Distribution Transparency and Auditability

TL;DR

This paper introduces a transparency and auditability system for software updates via package managers, enhancing security by detecting backdoors, verifying source code integrity, and preventing equivocation attacks, demonstrated through a two-year Debian update analysis.

Contribution

It presents a novel transparency system for Linux package managers, including defenses against hidden version attacks and a tree root cross logging method to prevent equivocation.

Findings

Detected numerous irregularities in Debian updates

Successfully implemented a non-overhead transparency system

Validated system effectiveness over two years of real-world updates

Abstract

A large user base relies on software updates provided through package managers. This provides a unique lever for improving the security of the software update process. We propose a transparency system for software updates and implement it for a widely deployed Linux package manager, namely APT. Our system is capable of detecting targeted backdoors without producing overhead for maintainers. In addition, in our system, the availability of source code is ensured, the binding between source and binary code is verified using reproducible builds, and the maintainer responsible for distributing a specific package can be identified. We describe a novel "hidden version" attack against current software transparency systems and propose as well as integrate a suitable defense. To address equivocation attacks by the transparency log server, we introduce tree root cross logging, where the log's Merkle tree root is submitted into a separately operated log server. This significantly relaxes the inter-operator cooperation requirements compared to other systems. Our implementation is evaluated by replaying over 3000 updates of the Debian operating system over the course of two years, demonstrating its viability and identifying numerous irregularities.