SmartWitness: A proactive software transparency system using smart contracts

Abstract

Package managers have become essential for software distribution and management. Their goal is to allow users to install programs, drivers, or updates in their systems in a secure, quick, and often, unattended way. However, in recent years, attackers have found severe flaws in software distribution systems and used them as a stealthy launch pad for malicious software. Moreover, it was proved that actors of the software supply-chain are ineffective in detecting and stopping attacks on user devices. In this paper, we present a design for software distribution systems based on distributed ledgers. By replacing traditional code signing certificates with smart contracts, named SmartWitness, we propose a novel system that provides properties of binary transparency, useful and granular package revocation, and dynamic and proactive security assessment improving risk awareness of end users. SmartWitness keeps all actors transparent and accountable, and it enables security providers to participate earlier in the software distribution process, directly influencing package installations on user devices. We show how SmartWitness is integrated into an existing package manager system, and we present results from conducted experiments indicating that the system is practical as for today.