Media release

From: The University of Sydney

From large technology corporations to startups, from computer science students to indie developers, using ‘git services’ is as common as opening a word document is for most of the rest of us. Git services are online repositories, indispensable in the IT industry, which manage and store projects that may contain sensitive information or trade secrets such as emerging artificial intelligence models.

However, this makes git services vulnerable to frequent cybersecurity threats. There is also the risk of malicious code being inserted into existing projects without the developer’s knowledge.

University of Sydney researchers are part of a team that have developed end-to-end encryption that can be deployed to protect git services. The encryption is compatible with existing git platforms such as Github and Bitbucket. When deployed the researchers say it will align seamlessly for storage and the time it takes for data to be synchronised among devices and git servers.

This work was supported in part by Google via the Digital Future Initiative, that supports Australian infrastructure, research, and partnerships to build a stronger digital future for all Australians.

Initial testing on existing git services and public repositories (data sources available for researchers to test algorithms) has been successful.

“Privacy and security of software code has long been a concern for industry and individual users that rely on git services,” said one of the lead developers Associate Professor Qiang Tang, from the School of Computer Science, Faculty of Engineering.

“Just like we want our messages to be private and safe, the IT industry also want their code to be protected. End-to-end encryption is currently the gold standard to protect data.”

End-to-End encryption works by securing data from start to finish, meaning the data sent is protected from the source to the destination, even if the service platform is hacked.  It is currently used in messaging services such as WhatsApp.

The researchers say the threat of security breaches to git Services is becoming more commonplace. Earlier in the year cryptocurrency exchange CoinBase was a target. In 2022 Okta had source code stolen.

But Associate Professor Tang says current efforts on Git Security are not strong enough and with large overheads, which means when a significant amount of computational resources such as processing time, bandwidth, or storage is being used.

The researchers hope to introduce the code to git services for widespread use or intend to make it open source. The results will be presented at the ACM Conference on Computer and Communications Security in October.

Collaborator Moti Yung, distinguished research scientist from Google, said that this was an excellent opportunity to protect the git services system and its users.

“The evolution of computing ecosystems always start with a new utility designed for trusted entities: the Internet, the Mobile Networks, Chat Apps, and so on.

Therefore due to these utilities maturing and expanding, one has then to deal with less trusted and malicious players within the ecosystem. git services, enabling collaborations and version control among participants also started without thoroughly taking care of potential bad players, and the system proposed now is a necessary step to its maturity.”

Creating the security box for the world’s code / The rising demand for ‘End- to-end security’ online  

Imagine git services as a giant word document where countless people can write, edit and update content, but for computer code.

“What makes Git services such as Github indispensable is their ability to host a large number of collaborators working on the same coding project at the same time, without losing any efficiency,” said Associate Professor Tang.

“However, this advantage is also an obstacle that prevented git services from getting end-to-end encryption.”

When you use a messaging service, the content or text remains relatively unchanged, or the edits will be very minor.

But in GitHub, countless lines of code are being written, edited and updated constantly at a such a rapid rate, standard end-to-end encryption cannot keep up. It would constantly need to refresh to encrypt new versions.

“It’s a balancing act – keep the code safe but not where it impacts the user’s computer so much that it becomes a hindrance.”

The research team was able to achieve this balance with a trade-off - by using only small bits of computational power at a time to significantly reduce the level of communication and storage needed. Specifically, using character-level encryption where only edits are treated as new data to be encrypted and appended (added to an existing data collection). In this way, the pressure on computational resources becomes minimal.

Another way of putting it is if you removed a word from a sentence in a document, the code would recognise that and encrypt the change, instead of encrypting the entire document.

By doing this it would save a large amount of bandwidth and storage otherwise used on each entire new version of the code.

Co-author Dr Yanan Li from the University of Sydney said another challenge was to identify the necessary security requirements, which at times could be subtle. For example, when to enable thetracking and public verification of the source of all edits.

“With addressing this issue, it leaves the git server vulnerable to the potential injection of malicious code and sometimes can even directly hinder confidentiality.”