Security Audit of in-toto

X41 performed a source code audit of in-toto, a framework providing software supply chain security with implementations in Python and Go, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the green light has been given by the in-toto development team.

Full report of the security audit:
https://www.x41-dsec.de/static/reports/X41-in-toto-Audit-2023-Final-Report-PUBLIC.pdf

Audit Results

The most severe issue discovered allows the supply chain to be compromised by tampering with data in transit per the threat model. The framework allows only the final recipient to verify the supply chain, not intermediate functionaries. An example could be a build script or a set of unit tests which are to be run by a functionary: while the data has a link signature from the previous functionary, this is not validated and the code being executed to build or test the software may have been replaced by an attacker.

Weaknesses in the handling of PGP keys were identified in the Python implementation, such as the trusting of keys whose creation time lies in the future (a sign of clock issues, such that the expiration time cannot be trusted either) and key properties such as revocation and usage restrictions not being taken into account during verification.

Several other improvements were identified to improve defense-in-depth and reduce ambiguity in the specification.

Overall, the codebase shows a high maturity in terms of security but the project can further improve its security posture by improving on general design architecture.

in-toto’s announcement of the release can be found here:
https://in-toto.io/security-audit-23/

OSTIF’s announcement can be found at:
https://ostif.org/our-audit-of-in-toto-is-complete/

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!