SSL Blog

Our Contributions to Reproducible Builds
2024-07-01 · Posted by: Justin Cappos · Categories: · Comments
Our Contributions to Git
2024-07-01 · Posted by: Justin Cappos · Categories: · Comments
Uptane Website 2.0: Project “Front Door” Gets a Much Needed Upgrade
2023-10-20 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
In less than a decade, the Uptane secure software update project has made a significant impact, not only on the automotive world for which it was conceived, but increasingly on other industrial sectors where updates are routinely received over the air.
Uptane Community Endorses Scudo as Automotive Software Supply Chain Security Solution
2023-03-17 · Posted by: Lois Anne DeLong and Aditya Sirish · Categories: in-toto Uptane · Comments
Last year, the Uptane project released a whitepaper that introduced Scudo, an open framework that utilizes in-toto to secure automotive software supply chains.We are now excited to share that Scudo has been accepted by a simple majority of the active members of the Uptane community.
Adventures in Open Source: Recognizing SSL’s GSoC ‘22 Contributors
2023-01-05 · Posted by: Lois Anne DeLong · Categories: in-toto TUF · Comments
This summer, the Secure Systems Lab welcomed four first-time contributors to the Google Summer of Code program.
Scudo: End-to-End Vehicle Software Security from Uptane and in-toto
2022-09-09 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
This spring, the [Uptane](https://uptane.github.io/) project introduced Scudo, a comprehensive secure framework that can deliver end-to-end software supply chain protection for computing units on automobiles.
PKM Has Left the Building: Farewell Thoughts from 2022 Ph.D. Grad Preston Moore
2022-09-02 · Posted by: Lois Anne DeLong · Categories: CrashSimulator · Comments
Uptane V.2.0.0: Open source standard for securing automotive computing units releases new version
2022-03-29 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
On March 18, the Uptane project, an open community effort to secure and protect software delivered over-the-air to automobiles, announced the release of *Uptane V.2.0.0 Standard for Design and Implementation*
in-toto moves to the CNCF Incubator
2022-03-28 · Posted by: Lois Anne DeLong · Categories: in-toto · Comments
The in-toto project, a supply chain security solution which provides protection by collecting and verifying relevant data at each step of a software product’s lifecycle, was recently promoted to the incubator of the Cloud Native Computing Foundation.
Python-TUF reaches version 1.0.0
2022-02-21 · Posted by: Jussi Kukkonen and Lukas Pühringer · Categories: TUF · Comments
The Python-TUF community is proud to announce the release of Python-TUF 1.0.0
Uptane marks a pair of firsts
2021-09-07 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
The summer of 2021 was anything but slow for the Uptane project. It not only issued its second minor version of the *Uptane Standard for Design and Implementation,* but also published its first whitepaper and announced its first international virtual workshop.
Santa's signatures part 4 -- Saving Santa some signing: Using delegations to distribute data
2021-08-12 · Posted by: Marina Moore · Categories: Informational · Comments
Santa's signatures part 3 -- Ensuring the Easter Bunny isn’t signing your Christmas cards: Applying limitations of trust
2021-07-28 · Posted by: Marina Moore · Categories: Informational · Comments
Santa's signatures part 2 -- Who is signing your Christmas card?: Establishing trust
2021-07-27 · Posted by: Marina Moore · Categories: Informational · Comments
Santa's signatures part 1 -- Did the Grinch intercept your Christmas card?: The importance of signature verification
2021-07-26 · Posted by: Marina Moore · Categories: Informational · Comments
Why cryptographic signatures are only useful when paired with verification.
Design by Calvinball: Why it doesn’t work for secure system design
2021-06-29 · Posted by: Marina Moore · Categories: Informational · Comments
Uptane Releases V.1.1.0 of its Standard; Introduces Deployment Best Practices
2021-01-27 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
There is little doubt that cars have caught the attention of hackers, and little hope that these trends will be reversed.
In the Shadow of SolarWinds, in-toto Releases its First Major Version
2021-01-25 · Posted by: Lois Anne DeLong · Categories: in-toto · Comments
The recent SolarWinds hack ... is a sobering reminder that though updates are necessary, they are also always fraught with risk
Looking Back on a Summer of Code
2020-11-13 · Posted by: Christian Rebischke · Categories: in-toto · Comments
I have been active on Github since 2013 and although I have participated in various projects, such as serving on the security team for Arch Linux, I have never really contributed a large amount of code...
Good-bye, Santiago and Dan: Some Parting Wisdom from our Most Recent Ph.D. Graduates
2020-07-03 · Posted by: Lois Anne DeLong · Categories: Informational · Comments
This past May, two Ph.D. candidates from the Secure Systems Lab, Santiago Torres-Arias and Daniel Gopstein, successfully defended their dissertations...
Contrasting Transparent Logs and The Update Framework
2020-02-03 · Posted by: Trishank Karthik Kuppusamy and Marina Moore · Categories: Informational · Comments
When and where would you use one over the other?
Tearing Down the Paper Walls: Valuing Practical Problem-solving in Academia
2019-12-03 · Posted by: Justin Cappos · Categories: Informational · Comments
While at KubeCon last week in San Diego, one
Building Better Connections: Part 2
2019-09-03 · Posted by: Justin Cappos · Categories: Informational · Comments
In my previous post, I described how industry participants and academics within the computer systems field have very different understandings of the world today, and rarely interact at common venues...
Building Better Connections Between Systems Researchers and Practitioners
2019-08-12 · Posted by: Justin Cappos · Categories: Informational · Comments
Academia and industry traditionally play complementary roles in the advancement of scientific and engineering knowledge and in the development of useful products to benefit society as a whole. While industry...
Setting a New Standard for Automotive Cybersecurity: IEEE/ISTO and Uptane
2019-03-13 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
Standardization represents an important step in the growth of a product or technology. It implies that a sufficient level of adoption has occurred to warrant ...
in-toto at the Reproducible Builds Summit-Paris 2018
2019-01-18 · Posted by: Lukas Pühringer · Categories: in-toto · Comments
Last December, the fourth annual Reproducible Builds summit drew an international cross-section of computer professionals to Paris. Though ...
in-toto and TUF in the new Kubernetes Security Book
2018-10-08 · Posted by: Santiago Torres-Arias · Categories: in-toto · Comments
Now you can read on how to secure your kubernettes delivery using in-toto and TUF in this new book
Make Popular Paths Popular
2018-09-24 · Posted by: Yiwen Li · Categories: Lind · Comments
Nowadays, untrusted or buggy programs are everywhere, from plugins running in your web browser, to a third-party Python library running on your local machine. As awareness of the scope of this problem grows...
SPIFFE Security Analysis Made Public (part 2)
2018-09-21 · Posted by: Justin Cappos · Categories: · Comments
As discussed in the previous blog entry, I have been working with contributors to SPIFFE and SPIRE to do a security analysis of their projects. The second part of the analysis...
SPIFFE Security Analysis Made Public
2018-09-13 · Posted by: Justin Cappos · Categories: · Comments
Over the past few months, I have been working with contributors to SPIFFE and SPIRE to do a security analysis of their projects. Part 1 of our analysis is now live...
Eliminating Weak Links in the Software Supply Chain
2018-07-02 · Posted by: Lois Anne DeLong · Categories: in-toto · Comments
There is a growing awareness in the open source software development community that, even if a new or revised program is secured at each individual step of its development an uncontaminated final product is still not guaranteed. The nature...
Retiring Seattle Testbed -- 10 Years and Thousands of Users.
2018-06-26 · Posted by: Justin Cappos · Categories: Seattle Sensibility · Comments
Ten years ago, I (Justin Cappos) wrote the first few lines of code in a Python based sandbox called Repy, intended for use in a new peer-to-peer cloud environment. This started...
What makes confusing code so confusing? Current Atoms initiatives look for the Hows, Whys and Wheres
2018-06-05 · Posted by: Lois Anne DeLong · Categories: Atoms of Confusion · Comments
The Atoms of Confusion project deals with perhaps the most random variable in the development of software—the human programmer who writes and/or maintains the code. The contention of...
TUFening the Cloud: CII Badge Acknowledges Standards of The Update Framework
2018-05-06 · Posted by: Lois Anne DeLong · Categories: TUF · Comments
When the Linux Foundation adopted The Update Framework (TUF) in October of 2017, it both recognized what the software update framework had already achieved to date and set a new standard for it to strive for. As one of...
SAS Hackathon Creates Teachable Moments for Sensibility Developers
2018-04-03 · Posted by: Lois Anne DeLong · Categories: Sensibility · Comments
Prior to its 2014 gathering, the IEEE Sensors Application Symposium (SAS) invited the Sensibility Testbed team from SSL to run a hands-on, day-long workshop for participants at the conference in Queenstown, New Zealand. At the time...
Seattle and Fog Computing: Bringing the Cloud Closer to the IoT
2018-02-13 · Posted by: Lois Anne DeLong · Categories: Seattle · Comments
There is no doubt that cloud computing, in one form or another, is here to stay. In 2017, Gartner, a prominent research firm, estimated an 18% growth in worldwide revenue...
Creating a Web-enabled USB Driver with WebUSB
2018-01-08 · Posted by: Santiago Torres-Arias · Categories: Informational · Comments
WebUSB is an emerging technology that opens numerous possibilities for interaction with hardware devices without the need to install any drivers on the user side. This could be very useful for playing web-based games...
TUF Featured at CloudNativeCon
2017-12-07 · Posted by: Justin Cappos · Categories: TUF · Comments
A few months ago, TUF was adopted by the Linux Foundations [Cloud Native Computing Foundation](https://techcrunch.com/2017/10/24/the-cloud-native-computing-foundation-adds-two-security-projects-to-its-open-source-stable/). The CNCF provides a more...
Uptane named one of the Top Security Innovations of 2017 by Popular Science
2017-10-18 · Posted by: Justin Cappos · Categories: Uptane · Comments
CacheCash Hackathon: It Takes a Village (or a Lab…)
2017-08-15 · Posted by: Lois Anne DeLong · Categories: CacheCash · Comments
A hackathon can be likened to the barn raisings of old, in which a community would come together for one day to build a barn or a home for a neighbor. Like those earlier communal activities, a hackathon involves a group of individuals collaborating...
Welcome to Brooklyn: Summer is Intern Season
2017-07-27 · Posted by: Lois Anne DeLong · Categories: Uptane Seattle Lind in-totoAtoms of Confusion andCrashSimulator · Comments
Over the past few weeks, SSL has welcomed a diverse group of summer interns to 2 Metrotech. A total of 11 undergraduate, master’s, and high school students are now conducting hands-on research in advancement of...
SSL to NTIA: Secure Software Updates on the IoT
2017-07-03 · Posted by: Lois Anne DeLong · Categories: TUF · Comments
On May 11, President Trump issued an Executive Order to improve the “cybersecurity of Federal networks and critical infrastructure.” The document is a call to action to a number of Federal agencies..
Medical Device Insecurity --- A Prescription For Disaster
2017-06-17 · Posted by: Justin Cappos · Categories: Upccinate · Comments
This past week I spent time in Finland working with medical device experts. I talked to vendors, hospital IT personnel, and security experts which helped me learn a lot...
Atoms of Confusion: Tracking the Tiny Causes of Programmer Misunderstanding
2017-06-05 · Posted by: Dan Gopstein · Categories: Atoms of Confusion · Comments
Atoms of Confusion is a project designed to understand the root causes of programmers’ misunderstanding of source code. It is anchored in the idea that empirical software engineering research...
Rubber Meets the Road: Classroom Lessons Learned from Seattle
2017-05-29 · Posted by: Lois Anne DeLong · Categories: Seattle · Comments
When Seattle first debuted in 2009, it brought to life several exciting ideas. For starters, it demonstrated the potential of cloud technology that could securely run on donated devices. It also gave educators..
Google Summer of Code -- Python Dependency Resolution
2017-05-22 · Posted by: Justin Cappos · Categories: TUF · Comments
This summer we are giving back to the Python community. I am excited to be working with Donald Stufft to mentor Pradyun Gedam, while he works on dependency resolution for pip...
TUFening UP Conex
2017-05-15 · Posted by: Justin Cappos · Categories: TUF · Comments
I spent this week with Hannes Mehnert figuring out how best to secure Conex, a TUF-like system for the OCaml community. We spent quite a bit of time pouring over the Conex proposal...
Demonstrated defense: Uptane takes a test drive
2017-05-08 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
While the Uptane group continues to invite white hat hackers to “break our system” before malicious parties attempt to do so for real, several of the developers..
All in One Day’s Work: Fourth Sensibility Testbed Hackathon
2017-05-01 · Posted by: Yanyan Zhuang · Categories: Sensibility · Comments
For four years, the Sensibility Testbed project has thrown down a gauntlet to students——in less than one day, use the platform to design and test a new sensor...
Notes from DockerCon 2017
2017-04-24 · Posted by: Justin Cappos · Categories: TUF, in-toto, and lind · Comments
This week several members of the lab went to DockerCon 2017 to learn about some of the exciting new things happening in the Docker eco-system. We also gave a talk on TUF...
Coming Attractions. PPH and CrashSimulator at the Expo, April 21
2017-04-17 · Posted by: Lois Anne DeLong · Categories: PolyPasswordHasher and CrashSimulator · Comments
The Research Expo at the NYU Tandon School of Engineering is a showcase where students and faculty alike can share their current research activities with the greater academic...
Where the Rubber Meets the Road. Lessons learned from NetCheck
2017-04-10 · Posted by: Justin Cappos · Categories: NetCheck · Comments
In 2014, Eleni Gessiou, Yanyan Zhuang, Justin Cappos, and four of their students introduced a new diagnostic tool called...
Driving Forward. How a Big Idea Begins its Journey Towards Marketplace Acceptance
2017-04-04 · Posted by: Lois Anne DeLong · Categories: Uptane · Comments
So, you’ve come up with a really cool idea, discussed it with some knowledgeable people in order to frame that idea for a specific market, and written a program that is now attracting attention...
SHAttered: Not All It's Cracked Up to Be
2017-03-27 · Posted by: Lois Anne DeLong · Categories: Informational · Comments
NYU graduate student Santiago Torres-Arias has a one-word message for those who might be shaken up by Google’s February 23 announcement of "the first practical technique" for attacking systems based on SHA-1, and that word is "relax."
Why Does Our Lab Need A Blog?
2017-03-20 · Posted by: Justin Cappos · Categories: Informational · Comments
Ideas do not always come in conference paper-sized chunks. Sometimes they are too small to fill a paper. Other times they find themselves cut loose from a paper that did not have enough pages to discuss everything. And, in...