Calls: Send in your ideas. Deadline April 1, 2024
Talk
Internet Relay Chat (IRC)
Grant
Theme fund: NGI0 PET
Start: 2020-02
End: 2022-10
More projects like this
Network infrastructure

Build Transparency (Trustix)

Towards a decentralized supply chain for software

When we install a program, we usually trust downloaded software binaries. But how do we know that we aren't installing something malicious? Typically, we have confidence in those binaries because we get them from a trusted provider. But if the provider itself is compromised, the binaries can be anything. This makes individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralized trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. This is the first step towards an entirely decentralized software supply chain that can securely distribute software without any central corruptible entity.

Why does this actually matter to end users?

When you start up your computer, you will probably think twice before you download some random piece of software from the internet and run it. You know that doing so could allow unwelcome guests to your computer and your data. Your computer might even end up in a bot net. So when you see some nice piece of software, you will ask yourself the question: can I really trust the software? Perhaps you will check the origin it comes from. Better safe than sorry.

But even when you are sure you download a program from a trusted source, can you really trust the files themselves? To install something, usually you need to rely on binary files, like the executable installer you click to get things started. These are files that your computer understand, but are practically impossible for people to read and understand, let alone verify or audit. This project will develop a tool that compares software binaries across different providers and check whether they all work the same, identifying any binary that does something unexpected as compromised. Without any central point of trust (and failure), this way anyone can actually trust the software they run in their workspace or at home.

Run by Tweag IO

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.