Jump to Content

Tiziano Santoro

Authored Publications
Google Publications
Other Publications
Sort By
  • Title
  • Title, desc
  • Year
  • Year, desc
    Policy Transparency: Authorization Logic Meets General Transparency to Prove Software Supply Chain Integrity
    Andrew Ferraiuolo
    Razieh Behjati
    ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, Association for Computing Machinery (2022)
    Preview abstract Building reliable software is challenging because today’s software supply chains are built and secured from tools and individuals from a broad range of organizations with complex trust relationships. In this setting, tracking the origin of each piece of software and understanding the security and privacy implications of using it is essential. In this work we aim to secure software supply chains by using verifiable policies in which the origin of information and the trust assumptions are first-order concerns and abusive evidence is discoverable. To do so, we propose Policy Transparency, a new paradigm in which policies are based on authorization logic and all claims issued in this policy language are made transparent by inclusion in a transparency log. Achieving this goal in a real-world setting is non-trivial and to do so we propose a novel software architecture called PolyLog. We find that this combination of authorization logic and transparency logs is mutually beneficial -- transparency logs allow authorization logic claims to be widely available aiding in discovery of abuse, and making claims interpretable with policies allows misbehavior captured in the transparency logs to be handled proactively. View details
    No Results Found