Sage Journals: Discover world-class research

Abstract

Web-based Git hosting services such as GitHub and GitLab are popular choices to manage and interact with Git repositories. However, they lack an important security feature – the ability to sign Git commits. Users instruct the server to perform repository operations on their behalf and have to trust that the server will execute their requests faithfully. Such trust may be unwarranted though because a malicious or a compromised server may execute the requested actions in an incorrect manner, leading to a different state of the repository than what the user intended.

In this paper, we show a range of high-impact attacks that can be executed stealthily when developers use the web UI of a Git hosting service to perform common actions such as editing files or merging branches. We then propose le-git-imate, a defense against these attacks, which enables users to protect their commits using Git’s standard commit signing mechanism. We implement le-git-imate as a Chrome browser extension. le-git-imate does not require changes on the server side and can thus be used immediately. It also preserves current workflows used in Github/GitLab and does not require the user to leave the browser, and it allows anyone to verify that the server’s actions faithfully follow the user’s requested actions. Moreover, experimental evaluation using the browser extension shows that le-git-imate has comparable performance with Git’s standard commit signature mechanism. With our solution in place, users can take advantage of GitHub/GitLab’s web-based features without sacrificing security, thus paving the way towards verifiable web-based Git repositories.

Keywords

GitHub commit signature verification record signed commit browser extension

Get full access to this article

View all access options for this article.

References

GitHub, https://github.com.

GitLab, https://gitlab.com.

Bitbucket, https://bitbucket.org.

SourceForge, https://sourceforge.net.

Assembla, https://www.assembla.com.

RhodeCode, https://rhodecode.com.

GitHub Octoverse 2019, 2019, https://octoverse.github.com/.

10 million repositories, 2013, https://github.com/blog/1724-10-million-repositories.

LWN, Linux kernel backdoor attempt, https://lwn.net/Articles/57135/.

10.

Homakov, How I hacked GitHub again, http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html.

11.

gamasutra, Cloud source host Code Spaces hacked, developers lose code, http://www.gamasutra.com/view/news/219462/Cloud_source_host_Code_Spaces_hacked_developers_lose_code.php.

12.

Kernel.org Linux repository rooted in hack attack, http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/.

13.

ZDNet, Red Hat’s Ceph and Inktank code repositories were cracked, http://www.zdnet.com/article/red-hats-ceph-and-inktank-code-repositories-were-cracked.

14.

Gigaom, Adobe source code breach; it’s bad, real bad, https://gigaom.com/2013/10/04/adobe-source-code-breech-its-bad-real-bad.

15.

ZDNet, Open-source ProFTPD hacked, backdoor planted in source code, http://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code.

16.

ExtremeTech, GitHub hacked, millions of projects at risk of being modified or deleted, http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted.

17.

It’s 2017 and 200,000 services still have unpatched Heartbleeds, 2017, https://www.theregister.co.uk/2017/01/23/heartbleed_2017/.

18.

Gerrit, https://www.gerritcodereview.com/.

19.

Jira, https://www.atlassian.com/software/jira.

20.

Phabricator, https://www.phacility.com.

21.

le-git-imate, https://le-git-imate.github.io/.

22.

isomorphic-git, https://isomorphic-git.org/.

23.

China, GitHub and the man-in-the-middle, https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle.

24.

Marczak,

Weaver,

Dalek,

Ensafi,

Fifield,

McKune,

Rey,

Scott-Railton,

Deibert and

Paxson, An analysis of China’s “Great Cannon”, in: Fifth USENIX Workshop on Free and Open Comms. on the Internet (FOCI 15), 2015.

25.

Soghoian and

Stamm, Certified lies: Detecting and defeating government interception attacks against SSL (short paper), in: Proc. of the 16th International Conference on Financial Cryptography and Data Security (FC ’12), 2012.

26.

Aviram,

Schinzel,

Somorovsky,

Heninger,

Dankel,

Steube,

Valenta,

Adrian,

J.A.

Halderman,

Dukhovni,

Käsper,

Cohney,

Engels,

Paar and

Shavitt, DROWN: Breaking TLS using SSLv2, in: 25th USENIX Security Symposium (USENIX Security 16), 2016, pp. 689–706.

27.

Durumeric,

Ma,

Springall,

Barnes,

Sullivan,

Bursztein,

Bailey,

J.A.

Halderman and

Paxson, The security impact of HTTPS interception, in: Proc. of Network and Distributed System Security Symposium (NDSS), 2016, pp. 689–706.

28.

Torres-Arias,

A.K.

Ammula,

Curtmola and

Cappos, On omitting commits and committing omissions: Preventing Git metadata tampering that (re)introduces software vulnerabilities, in: 25th USENIX Security Symposium (USENIX Security 16), 2016, pp. 379–395.

29.

GitHub Platform Roadmap, https://developer.github.com/early-access/platform-roadmap/.

30.

The GitHub Blog, https://github.com/blog.

31.

Chrome browser extension, https://developer.chrome.com/extensions.

32.

Content Scripts, https://developer.chrome.com/extensions/content_scripts.

33.

Manage events with background scripts, https://developer.chrome.com/extensions/background_pages.

34.

GitHub API, https://developer.github.com/v3/.

35.

Git’s pack protocol, https://github.com/git/git/blob/master/Documentation/technical/pack-protocol.txt.

36.

gitkit-js, https://github.com/SamyPesse/gitkit-js.

37.

js-git, https://github.com/creationix/js-git.

38.

git.js, https://github.com/danlucraft/git.js.

39.

es-git, https://github.com/es-git/es-git.

40.

isomorphic-git v0.65.0, https://github.com/isomorphic-git/isomorphic-git/releases/tag/v0.65.0.

41.

Git internals – Transfer protocols, https://git-scm.com/book/ms/v2/Git-Internals-Transfer-Protocols.

42.

Keybase, https://keybase.io.

43.

Fahl,

Harbach,

Muders,

Smith and

Sander, Helping Johnny 2.0 to encrypt his Facebook conversations, in: Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ’12), ACM, 2012.

44.

M.M.

Lucas and

Borisov, FlyByNight: Mitigating the privacy risks of social networking, in: Proc. of the 7th ACM WPES ’08, 2008.

45.

GPG signature verification, https://github.com/blog/2144-gpg-signature-verification.

46.

Mailvelope, https://www.mailvelope.com/en.

47.

FlowCrypt, https://flowcrypt.com/.

48.

Afzali,

Torres-Arias,

Curtmola and

Cappos, le-git-imate: Towards verifiable web-based Git repositories, in: Proc. of the 2018 ACM Asia Conference on Computer and Communications Security (ASIACCS ’18), ACM, 2018, pp. 469–482.

49.

OpenPGP.js, https://openpgpjs.org/.

50.

Global trends in online shopping – A Nielsen report, http://www.nielsen.com/us/en/insights/reports/2010/Global-Trends-in-Online-Shopping-Nielsen-Consumer-Report.html.

51.

R.B.

Miller, Response time in man–computer conversational transactions, in: Proc. of the December 9–11, 1968, Fall Joint Computer Conference, Part I, ACM, 1968.

52.

Nielsen, Usability engineering at a discount, in: Proc. of the 3rd Int. Conf. on Human–Computer Interaction on Designing and Using Human–Computer Interfaces and Knowledge Based Systems, 2nd edn, Elsevier, 1989, pp. 394–401.

53.

D.F.

Galletta,

Henry,

McCoy and

Polak, Web site delays: How tolerant are users?, J. of the Assoc. for Info. Systems 5(1) (2004), 1–28.

54.

P.J.

Sevcik

et al., Understanding how users view application performance, Business Communications Review 32(7) (2002), 8–9.

55.

F.F.-H.

Nah, A study on tolerable waiting time: How long are web users willing to wait?, Behaviour & Information Technology 23(3) (2004), 153–163.

56.

Arapakis,

Bai and

B.B.

Cambazoglu, Impact of response latency on user behavior in web search, in: Proc. of the 37th Annual ACM SIGIR Conference, 2014.

57.

Poggi,

Carrera,

Gavaldà,

Ayguadé and

Torres, A methodology for the evaluation of high response time on E-commerce users and sales, Information Systems Frontiers 16(5) (2014), 867–885. doi:10.1007/s10796-012-9387-4.

58.

Flask, http://flask.pocoo.org/.

59.

D.A.

Wheeler, Software configuration management (SCM) security, http://www.dwheeler.com/essays/scm-security.html.

60.

Gerwitz, A Git horror story: Repository integrity with signed commits, http://mikegerwitz.com/papers/git-horror-story.

61.

Vaidya,

Torres-Arias,

Curtmola and

Cappos, Commit signatures for centralized version control systems, in: Proc. of the 34th International Conference on ICT Systems Security and Privacy Protection (IFIP SEC ’19), Springer, 2019, pp. 359–373. doi:10.1007/978-3-030-22312-0_25.

62.

Apso: Secrecy for version control systems, https://savannah.nongnu.org/projects/apso.

63.

Pellegrini, Secrecy in concurrent version control systems, in: Presented at the Brazilian Symposium on Information and Computer Security (SBSeg 2006), 2006.

64.

R.G.

Shirey,

K.M.

Hopkinson,

K.E.

Stewart,

D.D.

Hodson and

B.J.

Borghetti, Analysis of implementations to secure Git for use as an encrypted distributed version control system, in: 48th Hawaii Int. Conf. on Sys. Sci. (HICSS ’15), 2015.

65.

SaaS, https://en.wikipedia.org/wiki/Software_as_a_service.

66.

Subashini and

Kavitha, A survey on security issues in service delivery models of cloud computing, J. of Network and Computer Applications 34(1) (2011), 1–11.

67.

Chandramouli and

Iorga, Cryptographic key management issues & challenges in cloud services, 2013, http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7956.pdf. doi:10.6028/NIST.IR.7956.

68.

Introducing Keybase chat, https://keybase.io/blog/keybase-chat.

69.

M.S.

Melara,

Blankstein,

Bonneau,

E.W.

Felten and

M.J.

Freedman, CONIKS: Bringing key transparency to end users, in: Usenix Security, 2015, pp. 383–398.

70.

Chiasson,

Forget,

Biddle and

P.C.

van Oorschot, User interface design affects security: Patterns in click-based graphical passwords, International Journal of Information Security 8(6) (2009), 387.

71.

Dark patterns, https://darkpatterns.org/.

72.

S.S.

Kulkarni,

Mittal and

Nayakawadi, Detecting phishing web pages, International Journal of Computer Applications 118(16) (2015), 27–30.

73.

Zhang,

J.I.

Hong and

L.F.

Cranor, Cantina: A content-based approach to detecting phishing web sites, in: Proc. of the 16th International Conference on World Wide Web, WWW ’07, ACM, 2007, pp. 639–648. doi:10.1145/1242572.1242659.

Towards adding verifiability to web-based Git repositories

Abstract

Keywords

Get full access to this article

References