The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Securing the Software Supply Chain: Theories, Measurements, Runtime Defenses, and Software Signing Infrastructure (PKI) for commercial and open-source software

Research Areas: Assured Identity and Privacy

Principal Investigator: Jamie Davis

Many software applications incorporate third-party packages distributed by package registries. Guaranteeing package provenance – knowledge of authorship – along this supply chain is a necessary part of ensuring that the software applications that run our societies are trustworthy. Although package maintainers can guarantee package authorship through software signing based on public-key cryptography, the adoption of signing has been slow. Many prior works have discussed challenges with the different generations of signing tools. However, recent cyberattacks have prompted a renewed emphasis on software signing from technology leaders such as Google (SLSA) and the US NIST (NIST SP 800-204D).

One perennial problem with the adoption of software signing has been the myriad competing signing tools and inconsistency across different package registries. The goal of this project is to provide a theoretical and empirical basis to understand what factors limit and predict the adoption of software signing in open-source software in order to promote the adoption of this practice. We are applying both quantitative methods (mining software repositories for hypothesis testing) and qualitative methods (human factors -- interviews, surveys). Building on this, we are developing the Sigstore signing platform with a goal of substantially solving the signing problem.

Personnel

Other PIs: Santiago Torres-Arias

Representative Publications

  • SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties.
    Okafor, Schorlemmer, Torres-Arias, and Davis.
    Proceedings of the 1st ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED) 2022.

  • An Empirical Study of Artifacts and Security Practices in the Pre-trained Model Supply Chain.
    Jiang, Synovic, Sethi, Indarapu, Hyatt, Schorlemmer, Thiruvathukal, and Davis.
    Proceedings of the 1st ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED) 2022.

  • ZTD-JAVA: Mitigating Software Supply Chain Vulnerabilities via Zero-Trust Dependencies.
    Amusuo, Robinson, Singla, Peng, Machiry, Torres-Arias, Simon, and Davis.
    Proceedings of the ACM/IEEE 47th International Conference on Software Engineering (ICSE) 2025.

  • DiVerify: Hardening Identity-Based Software Signing with Programmable Diverse-Context Scopes.
    Okafor, Davis, and Torres-Arias.

  • ARMS: A Vision for Actor Reputation Metric Systems in the Open-Source Software Supply Chain.
    Kalu, Okorafor, Durak, Laine, Moreno, Torres-Arias, and Davis.

  • Why Johnny Signs with Next-Generation Tools: A Usability Case Study of Sigstore.
    Kalu, Okorafor, Singla, Torres-Arias, and Davis

  • Why Software Signing (Still) Matters: Trust Boundaries in the Software Supply Chain.
    Kalu and Davis

  • An Industry Interview Study of Software Signing for Supply Chain Security.
    Kalu, Singla, Okafor, Torres-Arias, and Davis.
    arXiv 2024.

  • Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors.
    Schorlemmer, Kalu, Chigges, Ko, Ishgair, Bagchi, Torres-Arias, and Davis.
    Proceedings of the 45th IEEE Symposium on Security and Privacy (IEEE S&P) 2024.

Keywords: Cybersecurity, Empirical software engineering, provenance, software signing, trust