Auditable Version Control Systems

Version control provides the ability to track and control changes made to the data over time. Software development often relies on a Version Control System (VCS) to automate the management of source code, documentation and configuration files. The VCS system stores all the changes to the data into a repository, such that any version of the data can be retrieved at any time in the future. Due to their potentially massive size, VCS repositories are often hosted at third parties which, unfortunately, are not necessarily trusted. Remote Data Checking (RDC) can be used to address concerns about the untrusted nature the VCS server by allowing a data owner to periodically and efficiently check that the server continues to store her data. To reduce the storage overhead, modern version control systems usually adopt “delta encoding”, in which only the differences (between versions) are recorded. As a particular type of delta encoding, skip delta encoding can optimize the combined cost of storage and retrieval. In this work, we introduce Auditable Version Control Systems (AVCS), which are VCS systems designed to function under an adversarial setting. We present the definition of AVCS and then propose RDC–AVCS, an AVCS scheme for skip delta-based VCS systems, which relies on RDC mechanisms to ensure all the versions of a file are retrievable from the untrusted VCS server over time. In RDC–AVCS, the cost of checking the integrity of all the versions of a file is the same as checking the integrity of one file version and the client is only required to maintain the same amount of client storage like a regular (non-secure) VCS system. We make the important observation that the only meaningful operation for real-world VCS systems which use delta encoding is append and leverage this observation to build RDC–AVCS. Unlike previous solutions which rely on dynamic RDC and are interesting from a theoretical point of view, we take a pragmatic approach and provide a solution for real-world VCS systems. We build a prototype for RDC–AVCS on top of a popular open-source version control system, Apache Subversion (SVN), and implement the most common VCS operations. Our security analysis and experimental evaluation show that RDC–AVCS successfully achieves the desired security guarantees at the cost of a modest decrease in performance compared to a regular (nonsecure) SVN system.