Gringotts: An Encrypted Version Control System With Less Trust on Servers

Abstract

Version Control System (VCS) plays an essential role in software supply chain, as it manages code projects and enables efficient collaboration. For a private repository, where source code is a high-profile asset and needs to be protected, VCS' security is extremely important. Traditional (unencrypted or encrypted) VCS solutions rely on a trusted service provider to host the code and enforce access control, which is not realistic enough for real-world threats. If the service provider peep in or the hackers break into the repository, the read & write privilege to the sensitive code is totally lost. Therefore, we consider whether one can relax the assumption on the server by introducing a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">covert adversary</i> , namely, it may act maliciously, but will not misbehave if it can be caught doing so. However, protecting sensitive code and enforcing access control on a covert adversarial server is a challenging task. Existing encryption-based VCS solutions failed to address this challenge, as they offered limited access control functionalities, introduced heavy key management overhead or storage overhead. Moreover, the crucial feature of compression of the source files were missing in an encrypted and versioned storage. To address these problems, we introduce <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Gringotts</small> , an end-to-end encrypted VCS, tailored for read & write access control, version control and source file compression. We present a formal model and propose a scheme with detailed analysis. We also implement and evaluate <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Gringotts</small> on top-10 most starred code projects on GitHub. The results demonstrate that <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Gringotts</small> introduces low latency (less than 0.3 s) for commit encryption and decryption, supports fine-grained access control and rich version control functionalities with practical performance.