The ArmoredWitness project is intended to kick-start a cross-ecosystem witness network, providing split-view attack prevention to a growing set of transparency-enabled ecosystems.
Transparency systems work by ensuring that all actors in a given ecosystem see the same append-only list of data, typically stored in verifiable logs. This allows folks relying on this data to be confident that even if they are unable to determine the correctness of the data themselves, it is visible to others who can verify it and call out badness.
If a malicious log is able to present inconsistent views of itself to different roles, then such badness can go undetected.
Witnessing is a solution to this "split-view" attack: well-known identities verify the append-only property of a given log, countersigning only those checkpoints (commitments to the state of a log) that were verified to be consistent with all earlier checkpoints the witness has seen. These counter-signed checkpoints are made available, enabling 3rd parties to be sure that transparency logs are not targetting them with a split-view.
A deeper dive into witnessing is provided in the Think local, act global: Gossip and Client Audits in Verifiable Data Structures paper.
By building these devices, and asking a number of folks around the world to be custodians of them, we aim to:
The ArmoredWitness device is a small networked device based on the USB armory, adding an RJ45 LAN port which supports PoE, and running an open-source implementation of a witness configured to support a growing number of transparency-enabled ecosystems. We're making a small number of these devices, and plan to distribute them to folks who are passionate about one or more of the witnessed ecosystems. Once provisioned, the ArmoredWitness devices will only run the ArmoredWitness firmware, so will not be repurposable for other use cases.
Like the USB armory, the new device is an opensource hardware design too, more info is available here.
The hardware provides a number of interesting security features which we use in the design:
The firmware for the ArmoredWitness is all written in Go, and compiled with TamaGo into a bare-metal executable. This enables us to take advantage of Go's memory safety and excellent standard library, and avoid needing to take a dependency on any traditional generic bootloader/kernel/OS combinations, considerably reducing the surface area of the codebase.
There are 3 main parts to the ArmoredWitness firmware stack:
Along with other ancillary parts:
Each of the four firmware components listed above are built and released by a staticly-configured pipeline, and ultimately make their way into a public Firmware Transparency log.
The deployment/build_and_release directory contains Terraform configs to define Cloud Build triggers which build and release the firmware and recovery image.
TODO(jayhou): add public links.
Given how important the role of witnessing is to the security properties of transparency-enabled ecosystem, it's also important that the operation of the witnesses, and therefore the software running on the devices, is as open to inspection and verification as possible.
We have embodied this principle into the design of the ArmoredWitness firmware and tooling:
provision
tool will only use firmware artefacts discovered in the FT log in order to program devices.verify
tool can be used to inspect the device, extract the firmware components from it, and verify that they are present in the FT log.verify_build
command continuously monitors the contents of the FT log, and tests that every logged firmware is indeed reproducibly built.More detail is available in the docs/transparency.md page.
Role | Description |
---|---|
Claimant | Transparency.dev team |
Claim |
|
Believer | The provision and verify tools. |
Verifier |
|
Arbiter | Log ecosystem participants and reliers |
The Statement is defined in https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog/log_entries.go. An example is available at https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog//example_firmware_release.json.