Binary Authorization for Borg

In case anyone else wonders what &#x27;borg&#x27; is:<p>&quot;Our infrastructure is containerized, using a cluster management system called Borg.&quot;<p>I was hoping they had some predictable, indexed build for borg backup[1].<p>[1] <a href="https:&#x2F;&#x2F;www.stavros.io&#x2F;posts&#x2F;holy-grail-backups&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.stavros.io&#x2F;posts&#x2F;holy-grail-backups&#x2F;</a>

On a related note, we have built an E2E-verified, tamper-evident CI&#x2F;CD pipeline for the Datadog Agent integrations [1]: the Agent will trust and install only integrations that correspond to source code that have signed by our developers. If there is an attack anywhere between our developers and end-users, it will be caught.<p>Unlike Binary Authorization for Borg, our security guarantees are publicly verifiable.<p>[1] <a href="https:&#x2F;&#x2F;www.datadoghq.com&#x2F;blog&#x2F;engineering&#x2F;secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.datadoghq.com&#x2F;blog&#x2F;engineering&#x2F;secure-publicatio...</a>

I led the portion of this project on Borg itself.<p>Security team did most of the security infrastructure, and coordination among almost every large infrastructure system team inside TI.<p>I&#x27;ll be waiting for them to answer any questions. :)

One thing that really squicked me out when I left Google is how other companies, even large and sophisticated ones, are using all kinds of garbage that comes from canonical or red hat or percona, and they have NO IDEA what&#x27;s in there. Say what you want about google&#x27;s NIH culture, but in regards to code provenance and verifiable builds they are doing the right thing and many others are not.

&gt; Adopting similar controls in your organization<p>&gt; Figure out how to manage third party code.<p>&gt; Many of the CI&#x2F;CD controls we describe in this paper are placed where your code is developed, reviewed, and maintained by one organization. If you are in this situation, consider how you will include third party code as part of your policy requirements. For example, you could initially exempt the code, while you move towards an ideal state of keeping a repository of all third party code used, and regularly vet that code against your security requirements.<p>I don&#x27;t know how much third party code is in use at Google these days, but I&#x27;d be curious to know if there is a formal effort at cataloging most-often used &#x2F; most-sensitive third party code and prioritizing reviews of it.<p>I&#x27;ve thought about the problem of vetting programming language packages (pypi, npm, rubygems, whatever) off and on. It seems like the only two tenable strategies are &quot;don&#x27;t pin anything &#x2F; always use tip of master&quot; and &quot;freeze deps, vet transitive deps at that frozen point, vendor the corresponding deps, and if you ever need to update a requirement for a feature or bugfix, go through the process again&quot;.<p>The latter seems like it could be out-sourced to a certain degree, if you trusted other organizations to &quot;vet transitive deps&quot;.

At Microsoft, we just require all binaries to be signed on production systems. Some systems are configured to block execution 9f unsigned code. Where we can&#x27;t do that, monitoring cuts an immediate sev-2 and wakes us up if any unsigned code is executed.<p>Does Linux not have a way to run only signed ELFs?

Has anyone outside of Google implemented something similar in spirit to this for K8s or ECS? What was the threat model you were considering when you built it? Was it worth it?

Fascinating, the part we may get the most out of is &quot;Adopting similar controls in your organization&quot; - not just Google For Everyone Else.

I read the CIO-level summary!<p>Woo hoo hoo! Im portant.

<i>&gt; We want to have confidence that the administrators who run the systems that access user data cannot abuse their powers.</i><p>So &quot;Binary Authorization for Borg&quot; is a defense against getting Snowdened.