Virtualization Technology News and Information
VMblog's Expert Interviews: Dennis Zimmer Talks vChain Launch, Software Asset Trust, and Blockchain Verification


I recently came across a new startup that will be shaking things up in 2019 and beyond.  The company is called vChain, and it was started by well-known individuals in the virtualization industry, namely Moshe Bar, who co-founded Qumranet (KVM) and XenSource (Xen), as well as Dennis Zimmer, founder of Opvizor and a 10 year VMware vExpert.   

So what are these two up to now?  Well, vChain offers a de-centralized trust verification platform for software publishers, which enables businesses for the first time to authoritatively assert the provenance of the software they use for their mission critical applications.  To find out more, VMblog spoke with Zimmer to get the details.

VMblog:  Tell us a little bit about this new company.  How did it come about?

Dennis Zimmer:  vChain was founded in late summer 2018 by Moshe Bar, a well-known name in the software industry both as a tech visionary and as the founder of XenSource (Xen Hypervisor) and Qumranet (KVM Hypervisor), and Dennis Zimmer, an opinion leader in the virtualization space for the last 20 years and a VMware vExpert for 10 years since the award was first introduced. 

Through our long-standing experience with VM images, containers and source code, we realized that there was no solution in the market which could guarantee the integrity and identity of the software assets. In today's open, agile and fast-changing world there is a huge risk to deploy malicious, outdated or insecure software unknowingly by deceit.

System administrators and DevOps folks are continuously at risk of accidentally choosing the wrong library to install or container to deploy. In the blockchain technology we found the missing link which would allow us to build a revolutionary solution to this problem and to provide software integrity and trust once and for all.

As we all know, digital certificates are unfit for encrypted communication, witness the rise of Let´s Encrypt. The same is true for signing code and virtual assets. Today, 66% of malware is signed using officially issued digital certificates. However, software publishers cannot sign each digital asset individually because that would be a cost and management nightmare.

So, the bad guys know that as long as they provide any kind of digital certificate their malicious code will be installed because - let's be honest - who ever checks certificates before installing software.

VMblog:  And can you dive into the technology to explain what it is that you do and offer?

Zimmer:  vChain is a platform for providing and verifying software trust. Software publishers can create their unique and verified identity on vChain and sign their code. Compared to digital certificate, each asset is signed with an individual signature (committed to the platform) instead of a company-wide certificate. This means that vendors can manage their signatures at single asset level. Software assets can be everything - source code, binaries, containers, iso or virtual machine images, scripts, patches, etc. 

The platform consists of multiple software technologies and components.

The first component is our backend, built on top of a fast and immutable blockchain that is operated by the Zero-Trust Consortium (ZTC). The ZTC is a consortium which operates a permissioned and open blockchain by the software industry for the software industry.

The second component is our vChain CodeNotary Command Line Interface (CLI). It is a simple command line tool that allows any developer to sign her own source code and integrate that into the build process.

No matter if signing a container, virtual machine image or source code, manually or in an automated build process, with CodeNotary solution providers are always in control of their software assets and can sign, recall or deprecate them as needed. Software publishers and providers of digital artifacts can also analyze statistics about their signed assets and manage their signatures through modern dashboards and, of course, APIs.

CodeNotary CLI is our most powerful offering for the upcoming future and is going to disrupt the world of digital artifact verification for good.

Finally, just this week we've released our vChain CodeNotary browser extension for Chrome, available for free here on the Chrome Web Store. The extension allows everybody out there to verify the integrity of downloads against that vChain blockchain-based registry. This verification replaces the typical manual MD5 or SHA-1. In the next version, you can expect the ability to sign your own VM images, containers, or any kind of digital asset through the same interface. This enables a 1 step integrity verification of any downloaded file for the world at large.

VMblog:  What are some of the problems that you are trying to solve?

Zimmer:  Before vChain the issuer and owner of a digital certificate used to sign software artifacts, were two different entities. This created a disconnect between what the publishers would like to sign and what is reasonably feasible with that old approach.

With vChain blockchain-based verification platform the owner and issuer of the signature are one and the same, without the need to go through third party (i.e. Certificate Authority). With vChain there is full visibility over the signature (what was signed, when, etc.) as well as manageability of the software asset throughout its whole lifecycle. At the very core, vChain democratizes and liberates digital signatures from the hard and expensive bond of digital certificates authorities.

Imagine the following exercise:

  1. Add trust to your software by signing your assets with infinite granularity
  2. Now make it a 1 step process
  3. Repeat #2 at will for any number of artifacts and assets

CodeNotary allows you to manage your signed software centrally. Being able to see what was signed, when, by whom (you might be working in an organization where multiple people can sign assets) as well as when it was verified, from where, etc. means being in full control of your software assets, whether distributed to customers or for internal purposes.

For example, imagine recalling a version of your software or docker image because there is a known security vulnerability or because you do not support it any more, in seconds and with a 1 step command.

Today, software vendors sign all their software distributions using the same certificate and it's impossible to know how many assets have been signed with a given certificate (including if someone else got hold of your certificate private key and signed malicious code with it). That also means that the revocation process is broken and made impossible at scale. Just see what happened last week when Apple revoked the enterprise app certificate to Facebook and Google (Techcrunch article). In reality, only one app was responsible of breaching the Apple enterprise app certificate agreement, but because certificates lack the level of granularity, all their enterprise apps stopped working!

With vChain signatures on software assets can be revoked in a quick 1 step procedure. Being able to revoke certificates from obsolete or buggy software lowers support costs for the software vendors and creates more revenue opportunities by convincing customers to upgrade. This takes us to a world where security is built into each asset, indelibly, and verifiable from anywhere.

VMblog:  Why use blockchain at all?

Zimmer:  Blockchain eliminates the need for a central signing authority, which, by the way, can and have been hacked in the past. A blockchain provides a universally accessible, immutable, unhackable and cryptographically secure registry which replaces centralized, inflexible and expensive commercial certificate authorities. vChain simply provides the tooling and simple solutions to enable that. 

We opted for a permissioned consortium blockchain which drastically reduces the confirmation time and increases throughput, so that it fits the typical requirement of software companies like us, who submit hundreds of thousands of transactions per minute.

vChain is based on the Zero-Trust Consortium Blockchain, which we at vChain initiated and proudly support. 

VMblog:  What about the browser extension you just released?  Can you explain it for readers?

Zimmer:  Our extension Download File Integrity Verification is a showcase for our technology to show what it is capable of. After installing it from the Chrome Web Store, it automatically verifies the integrity of every download. At this time over 600 top downloads have already been signed with vChain and the number goes up every day.

vChain first true commercial product is CodeNotary. It allows software vendors and their customers to sign and verify software assets with a 1 step command (OS independent). We are releasing our beta at the end of this month and, currently, beta users are signing up (Sign Up for Beta).

VMblog:  Given your background in virtualization and cloud infrastructures, what is vChain doing in that space?

Zimmer:  All digital assets whether source code, binaries, VM images and docker containers have today become essentially untrustable objects. When we download a docker container from DockerHub or when we restore a VM image that was previously backed up, we have no way to verify the origin and veracity of what we are about to install.

Malicious users have become very sophisticated and do not limit themselves to tampering applications and libraries. Indeed, they cover the entire spectrum of server-side software assets. This situation cannot be sustained much longer. As software users, we need to be able to verify integrity and origin in a simple, reliable manner. In an organization such as a business it's hard to blame someone for bringing in malicious software in house, if he/she didn't have the tools to prevent it. vChain finally provides a universally available platform to verify integrity of any kind of digital assets, whether VM images or a simple software download.

VMblog:  Before we go, I have to ask, what can we expect in the future from you?

Zimmer:  We have a very aggressive schedule and ambitious goals. The more digital assets are signed with vChain the more end customers will get the benefits of using trusted software, in an exponentially expanding graph of trust. By releasing our software into the open source we invite peer review and accelerate distribution.

vChain is establishing itself as the standard provider of the go-to trust verification platform, open sourced, democratized and decentralized, for the benefit of all.


Published Thursday, February 14, 2019 7:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2019>