---
_class: lead
paginate: true
backgroundColor: #fff
---
# Expanding (Dis)Trust
How can we prove that our software has not been tampered during build time?
* Binary - software that's in a format computers can work with
* Compiler - builds software into binaries
* Hashing - takes a data set and produces a fixed length string
---
# Anton Livaja
Co-Founder & Security Engineer at Distrust (https://distrust.co)
* Firm specializing in high assurance security consulting and engineering.
* Mission: to improve the security, privacy and freedom of as many people as
possible through working on fundamental security problems and creating open
source solutions.
* Clients: electrical grid operators, healthcare providers, fin-tech companies
and more.
---
# Ken Thompson's Reflections on Trusting Trust
> **[The moral is obvious. You can't trust code that you did not totally create
yourself**. (Especially code from companies that employ people like me.) No
amount of source-level verification or scrutiny will protect you from using
untrusted code...]
---
![](http://www.gne.com.sg/wp-content/uploads/2017/11/SolarWinds-logo.png)
---
# What's the Answer?
* Integrity hashes are already widely used
* Determinism / Reproducibility
* > Method of building software which ensures that the resulting binary for
a piece of software is always bit-for-bit identical.
* When something is bit-for-bit identical each time it is _deterministic_
* Once something is _deterministic_, it can be _reproduced_
---
# How Deep Do We Have to Go?
* Software Application
* First Party Code
* Third Party Code
* Build and Runtime Environment
* Operating System + Packages
* Additional CLI / Tools
* Compiler
---
# Adequate Solution
* Allows us to make the whole tree deterministic
* Can be easily reproduced (deterministically)
* Drop in replacement for the current approach
---
# Bootstrapping our Way Up
![right:0% left:0%](https://mermaid.ink/svg/pako:eNotjrsOgzAMRX8l8gw_kKFSga2dypgwWImBSHkpJANC_HtTiif73CP5HqCCJuCwJIwre3-kZ3Weog8uGktpYm37YJ14UfJkp3_cXbAX475lcmygSF6TV4a22-gvYxDPGK1RmE3wEzTgKDk0uv47fp6EvJIjCbyummYsNkuQ_qwqlhzG3SvgORVqIIWyrMBntFu9StSYaTBYe7ubnl_6WELh)
---
# Who Compiles the Compiler?
* Mostly downloaded as a binary
* Even if the compiler is built from source, usually another compiler is used to do so
* This means there is no clear providence to how we went from nothing to having a usable compiler
---
# Bootstrapping Compilers
* Consists of "stages", and hundreds of steps of starting from a human auditable (256 byte) compiler written in hex0 and building up all the way up to a modern compiler
* Bootstrapping programming languages
---
# We Have a Compiler, Now What?
* Build all of the different dependencies we need:
* `linux kernel`
* `bash`
* `openssl`
* `git`
* Yes... I mean *everything* in your build environment
---
# Status Check-In
* So far we have:
* A fully deterministic compiler
* Used that compiler to build all our dependencies
* Last thing remaining: your application
---
# Deterministic and Minimal Linux distribution
| Distribution | Signatures | Libc | Bootstrapped | Reproducible | Rust deps |
|--------------|------------|-------|--------------|--------------|----------:|
| Stagex | 2+ Human | Musl | Yes | Yes | 4 |
| Debian | 1 Human | Glibc | No | Partial | 231 |
| Arch | 1 Human | Glibc | No | Partial | 127 |
| Fedora | 1 Bot | Glibc | No | No | 167 |
| Alpine | None | Musl | No | No | 41 |
---
# Full source bootstrapped from Stage 0
From a 256-byte compiler written in hex0, StageX bootstraps all the compiler
tools necessary to build the distribution, 100% deterministically.
- Stage 0: Getting a basic C compiler on x86
- Stage 1: Building GCC for x86
- Stage 2: Upgrading GCC for x86_64
- Stage 3: Building up-to-date toolchains
- Stage X: Shipping the software you know and love
---
# A Rust Example
```dockerfile
FROM stagex/pallet-rust@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c AS build
ADD . /src
WORKDIR /src
ARG TARGET x86_64-unknown-linux-musl
RUN cargo build --release --target ${TARGET}
FROM scratch
COPY --from=build /app/target/${TARGET}/release/hello /usr/bin/hello
CMD ["/usr/bin/hello"]
```
---
# All packages in StageX are:
* Built using hash-locked sources
* Confirmed reproducible by multiple developers
* Signed by multiple release maintainers
![bg right:35% 80%](https://mermaid.ink/svg/pako:eNptUstugzAQ_BVrzyQU0-ZBpR7S9lhVKr2FHIy9gCuDkbFTRYh_ryFVgtL6YO_OjHdk7_bAtUBIoFD6m1fMWPK5yxri185JJaL9dBzIYvFEPrA1WjiO0f4SHmZi-q-Y_hFf60zKVJZNtB_3W55eeDrnpwu_JgpZh1eYzmEIoEZTMyn8A_tRlIGtsMYMEh8qWVY2g2BGPKfpmVsqlqMihTboq77nX8gt6Yk-ohl_KiFH2clc4SMZMsiawVsxZ3V6ajgk1jgMwGhXVpAUTHU-c61gFl8kKw2rb9BXIa02F1BpJtCnPdhTO_amlJ31Blw3hSxH3Bnl4cratkvCcKSXpbSVy5dc12EnxdjI6rhdhSu62jAa42ods4c4FjyPtpuC3keFWN9FlMEwBICT_9t5EKZ5GH4Asmmvxw)
---
# Multi-Signed OCI Images
Multiple maintainers can each sign individual images, with the container
runtime enforcing _multiple_ signatures by maintainers to ensure no individual
maintainer could have tampered with an image.
[![](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw)](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw)
---
# Common toolchain dependencies
StageX comes with developer-loved tooling and languages, such as:
- `curl`
- `git`
- `bash`
- `openssl`
---
# Pallets
StageX will soon offer prebuilt containers including all the packages necessary to run
some of our most used software, such as:
- `rust`
- `go`
- `nodejs`
- `nginx`
- `redis`
- `postgres`
---
# Key Takeaways
StageX...
* Your software, at every point in the bootstrapped toolchain, can all be built
deterministically.
* Packages the software you're already using, but in a more secure manner.
* Is a drop in replacement, and has container support
---
# What's Next?
* Adding SBOM
* Packaging more software
* Fully automating software updates
* Additional container runtimes like Podman and Kaniko
* Additional chip architecture support such as ARM and RISC-V
---
# How You Can Help
* Provide feedback
* Support with development efforts
* Become a sponsor
---
# Other Projects
This is only one part of the "Distrust Stack"
* [`keyfork`](https://git.distrust.co/public/keyfork): toolchain for generating and managing a wide range of cryptographic keys
* [`bootproof`](https://git.distrust.co/public/bootproof): tpm2 remote attestation
* [`reprOS`](https://codeberg.org/stagex/repros): OS designed for secure reproduction
* [`sigRev`](): open standard for signed code reviews
---
# Links
**Email**: anton@distrust.co / sales@distrust.co
**Matrix Chat**: #stagex:matrix.org
**Git Repo**: https://codeberg.org/stagex/stagex
Big thank you to sponsors who have supported the development of this project:
**Turnkey, Distrust, Mysten Labs**
Thank you to InCyber for hosting this fantastic event!