[{"language":[{"iso":"eng"}],"_id":"8301","publication":"Proceedings of the 26th USENIX Conference on Security Symposium","date_created":"2020-08-26T12:04:44Z","title":"CHAINIAC: Proactive software-update transparency via collectively signed skipchains and verified builds","citation":{"apa":"Nikitin, K., Kokoris Kogias, E., Jovanovic, P., Gasser, L., Gailly, N., Khoffi, I., … Ford, B. (2017). CHAINIAC: Proactive software-update transparency via collectively signed skipchains and verified builds. In <i>Proceedings of the 26th USENIX Conference on Security Symposium</i> (pp. 1271–1287). Vancouver, Canada: USENIX Association.","mla":"Nikitin, Kirill, et al. “CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds.” <i>Proceedings of the 26th USENIX Conference on Security Symposium</i>, USENIX Association, 2017, pp. 1271–1287.","ista":"Nikitin K, Kokoris Kogias E, Jovanovic P, Gasser L, Gailly N, Khoffi I, Cappos J, Ford B. 2017. CHAINIAC: Proactive software-update transparency via collectively signed skipchains and verified builds. Proceedings of the 26th USENIX Conference on Security Symposium. SEC: Security Symposium, 1271–1287.","chicago":"Nikitin, Kirill, Eleftherios Kokoris Kogias, Philipp Jovanovic, Linus Gasser, Nicolas Gailly, Ismail Khoffi, Justin Cappos, and Bryan Ford. “CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds.” In <i>Proceedings of the 26th USENIX Conference on Security Symposium</i>, 1271–1287. USENIX Association, 2017.","ama":"Nikitin K, Kokoris Kogias E, Jovanovic P, et al. CHAINIAC: Proactive software-update transparency via collectively signed skipchains and verified builds. In: <i>Proceedings of the 26th USENIX Conference on Security Symposium</i>. USENIX Association; 2017:1271–1287.","ieee":"K. Nikitin <i>et al.</i>, “CHAINIAC: Proactive software-update transparency via collectively signed skipchains and verified builds,” in <i>Proceedings of the 26th USENIX Conference on Security Symposium</i>, Vancouver, Canada, 2017, pp. 1271–1287.","short":"K. Nikitin, E. Kokoris Kogias, P. Jovanovic, L. Gasser, N. Gailly, I. Khoffi, J. Cappos, B. Ford, in:, Proceedings of the 26th USENIX Conference on Security Symposium, USENIX Association, 2017, pp. 1271–1287."},"article_processing_charge":"No","year":"2017","oa":1,"date_updated":"2021-01-12T08:18:00Z","quality_controlled":"1","page":"1271–1287","extern":"1","type":"conference","date_published":"2017-09-01T00:00:00Z","status":"public","publisher":"USENIX Association","author":[{"first_name":"Kirill","full_name":"Nikitin, Kirill","last_name":"Nikitin"},{"id":"f5983044-d7ef-11ea-ac6d-fd1430a26d30","last_name":"Kokoris Kogias","first_name":"Eleftherios","full_name":"Kokoris Kogias, Eleftherios"},{"full_name":"Jovanovic, Philipp","first_name":"Philipp","last_name":"Jovanovic"},{"first_name":"Linus","full_name":"Gasser, Linus","last_name":"Gasser"},{"first_name":"Nicolas","full_name":"Gailly, Nicolas","last_name":"Gailly"},{"first_name":"Ismail","full_name":"Khoffi, Ismail","last_name":"Khoffi"},{"first_name":"Justin","full_name":"Cappos, Justin","last_name":"Cappos"},{"first_name":"Bryan","full_name":"Ford, Bryan","last_name":"Ford"}],"publication_status":"published","abstract":[{"lang":"eng","text":"Software-update mechanisms are critical to the security of modern systems, but their typically centralized design presents a lucrative and frequently attacked target. In this work, we propose CHAINIAC, a decentralized software-update framework that eliminates single points of failure, enforces transparency, and provides efficient verifiability of integrity and authenticity for software-release processes. Independent witness servers collectively verify conformance of software updates to release policies, build verifiers validate the source-to-binary correspondence, and a tamper-proof release log stores collectively signed updates, thus ensuring that no release is accepted by clients before being widely disclosed and validated. The release log embodies a skipchain, a novel data structure, enabling arbitrarily out-of-date clients to efficiently validate updates and signing keys. Evaluation of our CHAINIAC prototype on reproducible Debian packages shows that the automated update process takes the average of 5 minutes per release for individual packages, and only 20 seconds for the aggregate timeline. We further evaluate the framework using real-world data from the PyPI package repository and show that it offers clients security comparable to verifying every single update themselves while consuming only one-fifth of the bandwidth and having a minimal computational overhead."}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"open_access":"1","url":"https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-nikitin.pdf"}],"oa_version":"Published Version","day":"01","month":"09","publication_identifier":{"isbn":["9781931971409"]},"conference":{"start_date":"2017-08-16","name":"SEC: Security Symposium","end_date":"2017-08-18","location":"Vancouver, Canada"}}]