I recently came across a new startup that will be shaking things up in 2019 and beyond. The company is called vChain, and it was started by well-known individuals in the virtualization industry, namely Moshe Bar, who co-founded Qumranet (KVM) and XenSource (Xen), as well as Dennis Zimmer, founder of Opvizor and a 10 year VMware vExpert.
So what are these two up to now? Well, vChain offers a de-centralized trust verification platform for software publishers, which enables businesses for the first time to authoritatively assert the provenance of the software they use for their mission critical applications. To find out more, VMblog spoke with Zimmer to get the details.
VMblog: Tell us a little bit
about this new company. How did it come
about?
Dennis Zimmer: vChain was founded in late summer 2018 by Moshe Bar, a well-known
name in the software industry both as a tech visionary and as the founder of
XenSource (Xen Hypervisor) and Qumranet (KVM Hypervisor), and Dennis Zimmer, an
opinion leader in the virtualization space for the last 20 years and a VMware vExpert for 10 years since the award was first introduced.
Through our long-standing experience with VM images,
containers and source code, we realized that there was no solution in the
market which could guarantee the integrity and identity of the software assets.
In today's open, agile and fast-changing world there is a huge risk to deploy
malicious, outdated or insecure software unknowingly by deceit.
System administrators and DevOps folks are continuously at
risk of accidentally choosing the wrong library to install or container to
deploy. In the blockchain technology we found the missing link which would
allow us to build a revolutionary solution to this problem and to provide
software integrity and trust once and for all.
As we all know, digital certificates are unfit for
encrypted communication, witness the rise of Let´s Encrypt. The same is true
for signing code and virtual assets. Today, 66% of malware is signed using
officially issued digital certificates. However, software publishers cannot
sign each digital asset individually because that would be a cost and management
nightmare.
So,
the bad guys know that as long as they provide any kind of digital certificate
their malicious code will be installed because - let's be honest - who ever
checks certificates before installing software.
VMblog: And can you dive
into the technology to explain what it is that you do and offer?
Zimmer: vChain is a platform for providing and verifying software
trust. Software publishers can create their unique and verified identity on
vChain and sign their code. Compared to digital certificate, each asset is signed
with an individual signature (committed to the platform) instead of a
company-wide certificate. This means that vendors can manage their signatures
at single asset level. Software assets can be everything - source code,
binaries, containers, iso or virtual machine images, scripts, patches, etc.
The platform consists of multiple software technologies
and components.
The first component is our backend, built on top of a fast
and immutable blockchain that is operated by the Zero-Trust Consortium (ZTC). The
ZTC is a consortium which operates a permissioned and open blockchain by the
software industry for the software industry.
The second component is our vChain CodeNotary Command Line
Interface (CLI). It is a simple command line tool that allows any developer to
sign her own source code and integrate that into the build process.
No matter if signing a container, virtual machine image or
source code, manually or in an automated build process, with CodeNotary
solution providers are always in control of their software assets and can sign,
recall or deprecate them as needed. Software publishers and providers of
digital artifacts can also analyze statistics about their signed assets and
manage their signatures through modern dashboards and, of course, APIs.
CodeNotary CLI is our most powerful offering for the
upcoming future and is going to disrupt the world of digital artifact
verification for good.
Finally,
just this week we've released our vChain CodeNotary browser extension for
Chrome, available
for free
here on the Chrome Web Store. The
extension allows everybody out there to verify the integrity of downloads
against that vChain blockchain-based registry. This verification replaces the
typical manual MD5 or SHA-1. In the next version, you can expect the ability to
sign your own VM images, containers, or any kind of digital asset through the
same interface. This enables a 1 step integrity verification of any downloaded
file for the world at large.
VMblog: What are some of the problems that you are trying to solve?
Zimmer: Before vChain the issuer and owner of a digital
certificate used to sign software artifacts, were two different entities. This
created a disconnect between what the publishers would like to sign and what is
reasonably feasible with that old approach.
With
vChain blockchain-based verification platform the owner and issuer of the
signature are one and the same, without the need to go through third party
(i.e. Certificate Authority). With vChain there is full visibility over the
signature (what was signed, when, etc.) as well as manageability of the
software asset throughout its whole lifecycle. At the very core, vChain
democratizes and liberates digital signatures from the hard and expensive bond
of digital certificates authorities.
Imagine the following exercise:
- Add trust to your
software by signing your assets with infinite granularity
- Now make it a 1
step process
- Repeat #2 at will
for any number of artifacts and assets
|
CodeNotary allows you to manage your signed software
centrally. Being able to see what was signed, when, by whom (you might be
working in an organization where multiple people can sign assets) as well as
when it was verified, from where, etc. means being in full control of your
software assets, whether distributed to customers or for internal purposes.
For example, imagine recalling a version of your software
or docker image because there is a known security vulnerability or because you
do not support it any more, in seconds and with a 1 step command.
Today, software vendors sign all their software
distributions using the same certificate and it's impossible to know how many
assets have been signed with a given certificate (including if someone else got
hold of your certificate private key and signed malicious code with it). That
also means that the revocation process is broken and made impossible at scale.
Just see what happened last week when Apple revoked the enterprise app
certificate to Facebook and Google (Techcrunch article). In reality, only
one app was responsible of breaching the Apple enterprise app certificate
agreement, but because certificates lack the level of granularity, all their
enterprise apps stopped working!
With
vChain signatures on software assets can be revoked in a quick 1 step procedure.
Being able to revoke certificates from obsolete or buggy software lowers
support costs for the software vendors and creates more revenue opportunities
by convincing customers to upgrade. This takes us to a world where security is
built into each asset, indelibly, and verifiable from anywhere.
VMblog: Why use blockchain at all?
Zimmer: Blockchain eliminates
the need for a central signing authority, which, by the way, can and have been
hacked in the past. A blockchain provides a universally accessible, immutable,
unhackable and cryptographically secure registry which replaces centralized,
inflexible and expensive commercial certificate authorities. vChain simply provides
the tooling and simple solutions to enable that.
We opted for a
permissioned consortium blockchain which drastically reduces the confirmation
time and increases throughput, so that it fits the typical requirement of
software companies like us, who submit hundreds of thousands of transactions
per minute.
vChain is based on the Zero-Trust Consortium Blockchain, which we at vChain initiated and proudly
support.
VMblog: What about the browser extension you just released? Can you explain it for readers?
Zimmer: Our extension Download
File Integrity Verification
is a showcase for our technology to show what it is capable of. After
installing it from the Chrome Web Store, it automatically verifies the
integrity of every download. At this time over 600 top downloads have already
been signed with vChain and the number goes up every day.
vChain first true commercial product is CodeNotary.
It allows software vendors and their customers to sign and verify software
assets with a 1 step command (OS independent). We are releasing our beta at the
end of this month and, currently, beta users are signing up (
Sign Up for Beta).
VMblog: Given your background in virtualization and cloud infrastructures,
what is vChain doing in that space?
Zimmer: All digital assets whether source code,
binaries, VM images and docker containers have today become essentially
untrustable objects. When we download a docker container from DockerHub or when
we restore a VM image that was previously backed up, we have no way to verify the
origin and veracity of what we are about to install.
Malicious users have become very sophisticated and do
not limit themselves to tampering applications and libraries. Indeed, they cover
the entire spectrum of server-side software assets. This situation cannot be
sustained much longer. As software users, we need to be able to verify
integrity and origin in a simple, reliable manner. In an organization such as a
business it's hard to blame someone for bringing in malicious software in
house, if he/she didn't have the tools to prevent it. vChain finally provides a
universally available platform to verify integrity of any kind of digital
assets, whether VM images or a simple software download.
VMblog: Before we go, I have to ask, what can we expect in the future from you?
Zimmer: We have a very
aggressive schedule and ambitious goals. The more digital assets are signed
with vChain the more end customers will get the benefits of using trusted
software, in an exponentially expanding graph of trust. By releasing our
software into the open source we invite peer review and accelerate distribution.
vChain is establishing itself as
the standard provider of the go-to trust verification platform, open sourced,
democratized and decentralized, for the benefit of all.
##