--- _class: lead paginate: true backgroundColor: #fff --- # Expanding (Dis)Trust How can we prove that our software has not been tampered during build time? * Binary - software that's in a format computers can work with * Compiler - builds software into binaries * Hashing - takes a data set and produces a fixed length string --- # Anton Livaja Co-Founder & Security Engineer at Distrust (https://distrust.co) * Firm specializing in high assurance security consulting and engineering. * Mission: to improve the security, privacy and freedom of as many people as possible through working on fundamental security problems and creating open source solutions. * Clients: electrical grid operators, healthcare providers, fin-tech companies and more. --- # Ken Thompson's Reflections on Trusting Trust > **[The moral is obvious. You can't trust code that you did not totally create yourself**. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code...] --- ![](http://www.gne.com.sg/wp-content/uploads/2017/11/SolarWinds-logo.png) --- # What's the Answer? * Integrity hashes are already widely used * Determinism / Reproducibility * > Method of building software which ensures that the resulting binary for a piece of software is always bit-for-bit identical. * When something is bit-for-bit identical each time it is _deterministic_ * Once something is _deterministic_, it can be _reproduced_ --- # How Deep Do We Have to Go? * Software Application * First Party Code * Third Party Code * Build and Runtime Environment * Operating System + Packages * Additional CLI / Tools * Compiler --- # Adequate Solution * Allows us to make the whole tree deterministic * Can be easily reproduced (deterministically) * Drop in replacement for the current approach --- # Bootstrapping our Way Up ![right:0% left:0%](https://mermaid.ink/svg/pako:eNotjrsOgzAMRX8l8gw_kKFSga2dypgwWImBSHkpJANC_HtTiif73CP5HqCCJuCwJIwre3-kZ3Weog8uGktpYm37YJ14UfJkp3_cXbAX475lcmygSF6TV4a22-gvYxDPGK1RmE3wEzTgKDk0uv47fp6EvJIjCbyummYsNkuQ_qwqlhzG3SvgORVqIIWyrMBntFu9StSYaTBYe7ubnl_6WELh) --- # Who Compiles the Compiler? * Mostly downloaded as a binary * Even if the compiler is built from source, usually another compiler is used to do so * This means there is no clear providence to how we went from nothing to having a usable compiler --- # Bootstrapping Compilers * Consists of "stages", and hundreds of steps of starting from a human auditable (256 byte) compiler written in hex0 and building up all the way up to a modern compiler * Bootstrapping programming languages --- # We Have a Compiler, Now What? * Build all of the different dependencies we need: * `linux kernel` * `bash` * `openssl` * `git` * Yes... I mean *everything* in your build environment --- # Status Check-In * So far we have: * A fully deterministic compiler * Used that compiler to build all our dependencies * Last thing remaining: your application --- # Deterministic and Minimal Linux distribution
| Distribution | Signatures | Libc | Bootstrapped | Reproducible | Rust deps | |--------------|------------|-------|--------------|--------------|----------:| | Stagex | 2+ Human | Musl | Yes | Yes | 4 | | Debian | 1 Human | Glibc | No | Partial | 231 | | Arch | 1 Human | Glibc | No | Partial | 127 | | Fedora | 1 Bot | Glibc | No | No | 167 | | Alpine | None | Musl | No | No | 41 | --- # Full source bootstrapped from Stage 0 From a 256-byte compiler written in hex0, StageX bootstraps all the compiler tools necessary to build the distribution, 100% deterministically. - Stage 0: Getting a basic C compiler on x86 - Stage 1: Building GCC for x86 - Stage 2: Upgrading GCC for x86_64 - Stage 3: Building up-to-date toolchains - Stage X: Shipping the software you know and love --- # A Rust Example ```dockerfile FROM stagex/pallet-rust@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c AS build ADD . /src WORKDIR /src ARG TARGET x86_64-unknown-linux-musl RUN cargo build --release --target ${TARGET} FROM scratch COPY --from=build /app/target/${TARGET}/release/hello /usr/bin/hello CMD ["/usr/bin/hello"] ``` --- # All packages in StageX are: * Built using hash-locked sources * Confirmed reproducible by multiple developers * Signed by multiple release maintainers ![bg right:35% 80%](https://mermaid.ink/svg/pako:eNptUstugzAQ_BVrzyQU0-ZBpR7S9lhVKr2FHIy9gCuDkbFTRYh_ryFVgtL6YO_OjHdk7_bAtUBIoFD6m1fMWPK5yxri185JJaL9dBzIYvFEPrA1WjiO0f4SHmZi-q-Y_hFf60zKVJZNtB_3W55eeDrnpwu_JgpZh1eYzmEIoEZTMyn8A_tRlIGtsMYMEh8qWVY2g2BGPKfpmVsqlqMihTboq77nX8gt6Yk-ohl_KiFH2clc4SMZMsiawVsxZ3V6ajgk1jgMwGhXVpAUTHU-c61gFl8kKw2rb9BXIa02F1BpJtCnPdhTO_amlJ31Blw3hSxH3Bnl4cratkvCcKSXpbSVy5dc12EnxdjI6rhdhSu62jAa42ods4c4FjyPtpuC3keFWN9FlMEwBICT_9t5EKZ5GH4Asmmvxw) --- # Multi-Signed OCI Images Multiple maintainers can each sign individual images, with the container runtime enforcing _multiple_ signatures by maintainers to ensure no individual maintainer could have tampered with an image. [![](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw)](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw) --- # Common toolchain dependencies StageX comes with developer-loved tooling and languages, such as: - `curl` - `git` - `bash` - `openssl` --- # Pallets StageX will soon offer prebuilt containers including all the packages necessary to run some of our most used software, such as: - `rust` - `go` - `nodejs` - `nginx` - `redis` - `postgres` --- # Key Takeaways StageX... * Your software, at every point in the bootstrapped toolchain, can all be built deterministically. * Packages the software you're already using, but in a more secure manner. * Is a drop in replacement, and has container support --- # What's Next? * Adding SBOM * Packaging more software * Fully automating software updates * Additional container runtimes like Podman and Kaniko * Additional chip architecture support such as ARM and RISC-V --- # How You Can Help * Provide feedback * Support with development efforts * Become a sponsor --- # Other Projects This is only one part of the "Distrust Stack" * [`keyfork`](https://git.distrust.co/public/keyfork): toolchain for generating and managing a wide range of cryptographic keys * [`bootproof`](https://git.distrust.co/public/bootproof): tpm2 remote attestation * [`reprOS`](https://codeberg.org/stagex/repros): OS designed for secure reproduction * [`sigRev`](): open standard for signed code reviews --- # Links **Email**: anton@distrust.co / sales@distrust.co **Matrix Chat**: #stagex:matrix.org **Git Repo**: https://codeberg.org/stagex/stagex Big thank you to sponsors who have supported the development of this project: **Turnkey, Distrust, Mysten Labs** Thank you to InCyber for hosting this fantastic event!