Abstract
Version Control System (VCS) plays an essential role in software supply chain, as it manages code projects and enables efficient collaboration. For a private repository, where source code is a high-profile asset and needs to be protected, VCS' security is extremely important. Traditional (unencrypted or encrypted) VCS solutions rely on a trusted service provider to host the code and enforce access control, which is not realistic enough for real-world threats. If the service provider peep in or the hackers break into the repository, the read & write privilege to the sensitive code is totally lost. Therefore, we consider whether one can relax the assumption on the server by introducing a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">covert adversary</i> , namely, it may act maliciously, but will not misbehave if it can be caught doing so. However, protecting sensitive code and enforcing access control on a covert adversarial server is a challenging task. Existing encryption-based VCS solutions failed to address this challenge, as they offered limited access control functionalities, introduced heavy key management overhead or storage overhead. Moreover, the crucial feature of compression of the source files were missing in an encrypted and versioned storage. To address these problems, we introduce <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Gringotts</small> , an end-to-end encrypted VCS, tailored for read & write access control, version control and source file compression. We present a formal model and propose a scheme with detailed analysis. We also implement and evaluate <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Gringotts</small> on top-10 most starred code projects on GitHub. The results demonstrate that <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Gringotts</small> introduces low latency (less than 0.3 s) for commit encryption and decryption, supports fine-grained access control and rich version control functionalities with practical performance.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
More From: IEEE Transactions on Dependable and Secure Computing
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.