Vessel: Advancing the DoW’s Software Ecosystem with Secure and Trustworthy Reproducible Container Builds

Created October 2023

With the Vessel tool, Carnegie Mellon University's Software Engineering Institute (SEI) aims to advance the success of the Department of War's (DoW’s) software through reproducible builds. The use of container reproducible builds has been inhibited by low awareness of reproducibility practices, builds not being reproducible, and insufficient tools to detect and address errors. In our Vessel project, we’re developing resources and tools needed to (1) increase the understanding of container reproducible-build practices, (2) create container builds that are reproducible, and (3) detect and allow for the correction of errors in reproducible builds before and after they have been built. By increasing the use and success of reproducible builds, the SEI aims to advance the DoW’s software ecosystem that, in turn, will protect the warfighter and advance national security.

Inability, Limited Knowledge, and Errors: Challenges with Reproducible Builds

Securing the container build process from malicious tampering is critical to protecting national and proprietary interests. Having reproducible container builds increases the trustworthiness of the build artifacts by providing consistent outputs and predictable behaviors.

However, there is limited awareness of container reproducible-build practices. Furthermore, even if software engineers are aware of reproducibility, builds themselves are rarely reproducible because elements of build environments often rely on external, nondeterministic factors (e.g., timestamps, filesystem file ordering, and unique ID generation).

Additionally, when builds are reproduced, failures often occur when (1) a reproducibility issue exists in a build environment (e.g., an unpinned package dependency) and (2) an external factor changes in a way that exercises that issue (e.g., an update to that package occurring between builds). The failure results in the creation of two container images that do not match (i.e., contain different files) from builds using the same container build environment (e.g., a specific Dockerfile).

A further limitation for the success of reproducible builds is that existing tools are limited in their ability to find and fix common issues. For example, Dockerfiles can be used to identify some reproducibility issues, such as nonexistent version pinning; however, they are not designed for reproducibility and so do not identify other issues (e.g., volatile input sources or timestamps).

Container images are increasingly being used as the main method for software deployment, so ensuring the reproducibility of container images, among others, is becoming a critical step in protecting the software supply chain as a key aspect of overall build reproducibility.

Kevin A. Pitstick

Software Engineering Institute

Vessel: Advancing the DoW’s Software Ecosystem with Secure and Trustworthy Reproducible Container Builds

Tools and Resources: Making Trustworthy, Reproducible Container Builds

Because of the benefits of increased software security and advanced trustworthiness in the DoW’s software supply chain, the SEI’s Vessel project has prioritized developing cutting-edge solutions to address container reproducibility issues.

The first tool is the Vessel Diff tool which has been released on GitHub. It is used to compare two built container images and detect reproducibility failures by analyzing unpacked image file systems. Using this tool, developers can either verify that two container images are identical or gain detailed information on which differences exist and their probable causes.
The second tool is the Vessel Lint & Repair tool which developers can use to identify container build reproducibility issues in their container Dockerfiles as well as automatically repair supported issues. With this knowledge, developers can make their software more reproducible, stable, secure, and trustworthy. This tool is under review for release, and the SEI’s goal is to merge the tool with the Diff tool.

Build Trust with Vessel

Adopting the Vessel tool can improve your organization’s software processes and push toward zero-trust. In particular, Vessel supports the following goals:

Assess the reproducibility of your current containers.
Increase the reproducibility of your container builds.
Secure your continuous integration pipelines against malicious tampering.

The SEI can help you improve the trust and reliability of your build processes by instantiating Vessel in your organizations and integrating it into your container build pipelines.