University of Sydney researchers have developed end-to-end encryption for git services that maintains performance whilst protecting sensitive code from cyberattacks and malicious insertions.
The encryption system works with platforms such as Github and Bitbucket and has completed successful initial testing on public repositories. The technology uses character-level encryption that processes only edited portions of code rather than entire documents, significantly reducing computational overhead.
Git services function as online repositories where multiple developers simultaneously work on software projects that may contain trade secrets such as emerging artificial intelligence models. The platforms have faced increasing security threats, with cryptocurrency exchange CoinBase targeted earlier in the year and Okta experiencing source code theft in 2022.
Associate Professor Qiang Tang, from the School of Computer Science, Faculty of Engineering, said privacy and security of software code has long been a concern for industry and individual users that rely on git services.
“Just like we want our messages to be private and safe, the IT industry also want their code to be protected,” Tang said. “End-to-end encryption is currently the gold standard to protect data.”
The encryption secures data from source to destination, protecting information even if the service platform is compromised. Standard end-to-end encryption cannot accommodate the rapid rate of code updates in git services, requiring constant refreshing to encrypt new versions.
“It’s a balancing act – keep the code safe but not where it impacts the user’s computer so much that it becomes a hindrance,” Tang said.
Dr Yanan Li from the University of Sydney said identifying necessary security requirements presented challenges, particularly enabling tracking and public verification of edit sources whilst preventing malicious code injection.
The research, supported by Google via the Digital Future Initiative, will be presented at the ACM Conference on Computer and Communications Security in October. The team plans to introduce the code for widespread use or make it open source.
