Loading…
April 16-18, 2024
Seattle, Washington
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC/GMT -8). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Wednesday, April 17 • 4:55pm - 5:35pm
TPMs, Merkle Trees and TEEs: Enhancing SLSA with Hardware-Assisted Build Environment Verification - Marcela Melara, Intel Corporation & Chad Kimes, GitHub

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.


CI/CD and cloud-based build systems are foundational to how software is built today. Software supply chain integrity frameworks like Supply-chain Levels for Software Artifacts (SLSA) aim to bolster the build process, but these frameworks place a high degree of trust in the underlying build environment. High-profile attacks like the SolarWinds hack in 2020 have shown how a compromise in the build environment can have dire consequences. So, what options do we have to protect against these threats? In this talk, we present a powerful combination of cryptographic and trusted hardware technologies, such as TPMs and confidential computing, that enables CI/CD platforms to provide build environment attestation and verification. We first summarize state-of-the-art SLSA and discuss different ways that trust in the build environment can erode if left unchecked. We describe proposed enhancements to the SLSA framework and how they can augment the existing safeguards CI/CD platforms have in place. Finally, we discuss examples of practical implementations for our SLSA enhancements showcasing how trustworthy build platforms are achievable.
Speakers
avatar for Marcela Melara

Marcela Melara

Research Scientist, Intel Corporation
Marcela Melara is a research scientist in the Security and Privacy Group at Intel Labs. Her current work focuses on solutions for high-integrity software supply chains and trustworthy distributed systems. She leads a number of internal, open-source and academic efforts on supply chain... Read More →
avatar for Chad Kimes

Chad Kimes

Principal Engineer, GitHub
Chad Kimes has been an engineer on GitHub Actions since before its launch in 2019. There he has worked to improve the security, availability, and scalability of GitHub Actions' hosted ephemeral VMs. He has been a continuing member of the Actions Security team, a cross-functional group... Read More →

HW Attested Build Env SLSA talk @ OSS NA '24 pdf
Wednesday April 17, 2024 4:55pm - 5:35pm PDT
434 (Level 4)
  SupplyChainSecurityCon