SCC Overview
Source Certification Contract (SCC)
Question:
Are You Who You Say You Are?
Answer:
Trust the Source, User
The acronym SCC is not related to the Sirius Cybernetics Corporation or any of their superficial design flaws :)
Overview
Are You Who You Say You Are?
This question doesn't make clear Who is who, or who are we talking about?
When attempting to run a binary object on your system, users need to trust the binary and its original source code.
The question should ask for the authorship of the binary and it's assumed source code, hence SCC authenticates the binary against the source code it claims to be originated from.
SCC answers:
This binary is produced by this set of source code, which is trusted by these people.
SCC verifies whether a binary object's signature matches its assumed source code signatures.
SCC provides a list of personal signatures who trust this source code, as well as a list of personal signatures who trust this binary object. Hence SCC incorporates a chain of trust.
Motivation
What's wrong with current binary distribution models?
Certificate based Applet security, is not secure
Certificates are designed for identification. Certificate based security is based on the idea that if you know who the author is you can trust the binary’s this person hands out. The fallacy with certificate based security thinking is that people who own a certificate identity do not automatically write secure code.
Certificates may grant extra privileges that a simple application should not have, this makes certified application break outside a security sandbox. An application that is run outside the sandbox is naturally less secure compared to one unsigned application running inside the sandbox. http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
Revocation is hard using certificate based security because you need to tell the supplier/author of the application to revoke and re-deploy all its applications using a new certificate if a flaw is found in one of the authors applications.
Further Readings ..
The following references linked below came to the same conclusions independently.
- http://www.cert.org/blogs/certcc/2013/04/dont_sign_that_applet.html - By Will Dormann: Don't Sign that Applet!
- ENV00-J. Do not sign code that performs only unprivileged operations
- - Can You Trust Your Computer?
Design
Use source and binary signature tags stored in accessible source code repository (SCR).
The source tag is provided at build time.
The binary tags are generated for each build and target and retroactively added to the SCR.
The binary contains both, source and binary tags, i.e. it claims a source code identification while providing it's binary identification.
SCC then validates whether both exist and are equal as stored on the SCR.
Revocation
Revocation of single binary signatures are possible by simply removing a binary signature from the SCR.