6/14/2023

in-toto Security Audit Response

Author: Cole Kennedy

in-toto Security Audit

The in-toto Project Security Audit Findings and Witness

At TestifySec, we firmly uphold transparency as one of our key principles. We believe that it is vital to engage openly with our users about our actions and decisions. In line with this commitment to transparency, we want to elucidate the recent security audit conducted for the Cloud Native Computing Foundation (CNCF) in-toto project. This audit is part of the CNCF's project graduation procedure, ensuring the project's security, reliability, and longevity1.

Audit Findings

The security audit revealed several potential vulnerabilities1. Although our in-toto implementation, Witness, was not directly audited, we consider it imperative to address these findings due to the shared specifications between in-toto and Witness. The audit pinpointed vulnerabilities related to file metadata, configuration reading, layout replay, link file reuse, verification by functionaries, and several PGP issues.

Responding to the Findings

We take the audit findings very seriously and are proactive in addressing them. To provide clarity and transparency, we're sharing our remediation strategy in response to these audit findings. You can track our progress at our GitHub issue tracker.
File Metadata Ignored (Medium Severity)2: Our remediation plan includes incorporating file permissions into file metadata records. As we develop an open-source file metadata container, Omnitrail, we will ensure it addresses this concern.
Configuration Read From Local Directory (Medium Severity)3: We aim to mitigate potential security vulnerabilities associated with configuration files by removing support for these files in our implementation. We will offer guidance on setting configurations through API parameters or CLI arguments. Additionally, we will add a feature to Witness that attests to its internal configuration parameters.
Layout Replay (Low Severity)4: Despite layout replay attacks being considered outside the scope of in-toto, we are taking measures to counter such attacks. We will employ the strategies set out in in-toto Enhancements ITE-2 and ITE-3, leveraging The Update Framework (TUF). See our plan to add TUF support to Archivista. This approach will ensure freshness of Witness Policy and other data stored in Archivista for users of Witness and Archivista.
Link File Reuse (Medium Severity)5: To mitigate the risk of unauthorized link file reuse, we will advocate for globally unique step names in a layout where reuse is not intended. Furthermore, we see value in being able to reuse Witness policy across many pipelines. We will adopt recommendations from ITE-2 and ITE-3 through our planned TUF/Archivista implementation to deter unapproved metadata reuse. Additionally Witness records the hashes of the tool used in the step. Users can mitigate against the threat by creating policy that locks the tool used in the step to specific hashes.
Functionaries Do Not Perform Verification (High Severity)6: For secure deployment of Witness, users need to use remote attestation of the machine and machine state. Our current implementation of both Sigstore and SPIRE key providers mitigates these threats. We will also add support for checking witness policies to verify source materials before creating the attestation and use namespaces and security modules like Seccomp, AppArmor, and SELinux to isolate Witness from the build process.
Several PGP Issues (Varying Severity)7: We would like to underscore that we neither support nor plan to support PGP in Witness.

Looking Ahead

The CNCF in-toto project security audit is a highly valuable exercise for uncovering potential vulnerabilities and bolstering our system's security stance. We are dedicated to addressing these concerns and persistently improving Witness. Our foremost goal is to offer a secure and dependable system to our users. Your trust in us is greatly appreciated, and we will relentlessly strive for transparency and quality.

References

1 Source Code Audit of in-toto Python and Go Implementations and Architectural Review of the Specification by Open Source Technology Improvement Fund (OSTIF), X41 D-Sec GmbH. 2GHSA-wqrg-wjp9-wqfq File Metadata Ignored Advisory. 3GHSA-wqrg-wjp9-wqfq Configuration Read From Local Directory Advisory. 4GHSA-73jv-h86v-c2vh Layout Replay Advisory. 5GHSA-6q78-j78h-pqm2 Link File Reuse Advisory. 6GHSA-p86f-xmg6-9q4x Functionaries Do Not Perform Verification Advisory. 7GHSA-jjgp-whrp-gq8m Several PGP Issues Advisory.