added tampering steps to the README

Added tampering steps from the run_demo.py script to the README. Removed redundant variable assignemnts in run_demo.py from copy-pasting code blocks.
GovReady · Oct 21, 2022 · 0192514 · 0192514
1 parent fc5741c
commit 0192514
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -120,13 +120,65 @@ workflow.
 
 ```shell
 cd ../..
+
+# Set up the final product
 mkdir final_product
 cp functionary_bob/project/*.link final_product
 cp owner_alice/project/*.link final_product
 cp owner_alice/root.layout final_product
 cd final_product
+
+# Verify the product
 in-toto-verify --layout root.layout --layout-key ../owner_alice/alice.pub
 ```
+
+### 8. Tamper with the supply chain (Adversary)
+
+Now, let’s try to tamper with the software supply chain. Suppose someone added
+a new commit to Alice's source code before she could tag the project and build
+the container.
+
+```shell
+cd ../owner_alice/project
+echo 'something evil' >> foo.py
+git add foo.py && git commit --amend --no-edit
+```
+
+With the changes now in the project, without Alice's knowledge, it will be
+present in the container.
+
+```shell
+# Tag the changed commit
+in-toto-run -n tag -m git:commit -p git:tag:release --key ../alice -- git tag release
+
+# Build the container
+in-toto-record start -n build-image -k ../alice -m git:commit git:tag:release
+docker build . -f Containerfile --tag ite-4-demo
+in-toto-record stop -n build-image -k ../alice -p docker://ite-4-demo
+
+# Set up the tampered product
+cp functionary_bob/project/*.link final_product
+cp owner_alice/project/*.link final_product
+cp owner_alice/root.layout final_product
+cd final_product
+```
+
+### 9. Verifying the malicious product (Client)
+
+```shell
+in-toto-verify --verbose --layout root.layout --layout-key ../owner_alice/alice.pub
+```
+
+This time, `in-toto-verify` will detect that the resulting commit from the step
+`merge-pr` was not used to tag the project nor build the container image and
+will therefore fail verification and return with a non-zero value. Running it
+in verbose mode will show this in detail.
+
+```shell
+echo $?
+# should print 1
+```
+
 ## Cleaning up and automated run through
 
 ### Clean slate

diff --git a/run_demo.py b/run_demo.py
@@ -200,42 +200,21 @@ def supply_chain():
     print(add_changes_cmd)
     subprocess.call(shlex.split(add_changes_cmd))
 
-    print(commit_changes_cmd)
-    subprocess.call(shlex.split(commit_changes_cmd))
+    commit_malicious_change_cmd = "git commit --amend --no-edit"
+    print(commit_malicious_change_cmd)
+    subprocess.call(shlex.split(commit_malicious_change_cmd))
 
     prompt_key("[Continue as if nothing happened]\nCreate a Tag (Alice)")
-    tag_cmd = ("in-toto-run"
-               " --verbose"
-               " --step-name tag"
-               " --key ../alice"
-               " --materials git:commit"
-               " --products git:tag:release"
-               " -- git tag release")
     print(tag_cmd)
     subprocess.call(shlex.split(tag_cmd))
 
     prompt_key("Build the container image (Alice)")
-    build_container_start_cmd = ("in-toto-record"
-                                 " start"
-                                 " --verbose"
-                                 " --step-name build-image"
-                                 " --key ../alice"
-                                 " --materials git:commit git:tag:release")
     print(build_container_start_cmd)
     subprocess.call(shlex.split(build_container_start_cmd))
 
-    build_container_cmd = ("docker build ."
-                           " --file Containerfile"
-                           " --tag ite-4-demo")
     print(build_container_cmd)
     subprocess.call(shlex.split(build_container_cmd))
 
-    build_container_stop_cmd = ("in-toto-record"
-                                " stop"
-                                " --verbose"
-                                " --step-name build-image"
-                                " --key ../alice"
-                                " --products docker://ite-4-demo")
     print(build_container_stop_cmd)
     subprocess.call(shlex.split(build_container_stop_cmd))
 
@@ -257,10 +236,6 @@ def supply_chain():
     prompt_key("Verify final tampered product (Client)")
     os.chdir("final_product")
     copyfile("../owner_alice/alice.pub", "alice.pub")
-    verify_cmd = ("in-toto-verify"
-                  " --verbose"
-                  " --layout root.layout"
-                  " --layout-key alice.pub")
     print(verify_cmd)
     retval = subprocess.call(shlex.split(verify_cmd))
     print("Return value: " + str(retval))