More Like this

1. Distributed Software Build Assurance for Software Supply Chain Integrity

   https://doi.org/10.3390/app14209262  

   Lew, Ken; Sarker, Arijet; Wuthier, Simeon; Kim, Jinoh; Kim, Jonghyun; Chang, Sang-Yoon (October 2024, Applied Sciences)

   Computing and networking are increasingly implemented in software. We design and build a software build assurance scheme detecting if there have been injections or modifications in the various steps in the software supply chain, including the source code, compiling, and distribution. Building on the reproducible build and software bill of materials (SBOM), our work is distinguished from previous research in assuring multiple software artifacts across the software supply chain. Reproducible build, in particular, enables our scheme, as our scheme requires the software materials/artifacts to be consistent across machines with the same operating system/specifications. Furthermore, we use blockchain to deliver the proof reference, which enables our scheme to be distributed so that the assurance beneficiary and verifier are the same, i.e., the node downloading the software verifies its own materials, artifacts, and outputs. Blockchain also significantly improves the assurance efficiency. We first describe and explain our scheme using abstraction and then implement our scheme to assure Ethereum as the target software to provide concrete proof-of-concept implementation, validation, and experimental analyses. Our scheme enables more significant performance gains than relying on a centralized server thanks to the use of blockchain (e.g., two to three orders of magnitude quicker in verification) and adds small overheads (e.g., generating and verifying proof have an overhead of approximately one second, which is two orders of magnitude smaller than the software download or build processes). 

   more » « less
2. Software Security for the People: Free and Open Resources for Software Security Training

   https://doi.org/10.1109/MSEC.2022.3142336  

   Heymann, Elisa R.; Miller, Barton P. (March 2022, IEEE Security & Privacy)
3. Just Enough Software Engineering for Domain Scientists in Research Software Development

   https://doi.org/10.1109/INTCEC61833.2024.10603285  

   Hammel, Melody L; Lin, Lan (June 2024, IEEE)
4. Sigstore: Software Signing for Everybody

   https://doi.org/10.1145/3548606.3560596  

   Newman, Zachary; Meyers, John Speed; Torres-Arias, Santiago (November 2022, ACM)

   Software supply chain compromises are on the rise. From the effects of XCodeGhost to SolarWinds, hackers have identified that targeting weak points in the supply chain allows them to compromise high-value targets such as U.S. government agencies and corporate targets such as Google and Microsoft. Software signing, a promising mitigation for many of these attacks, has seen limited adoption in open-source and enterprise ecosystems. In this paper, we propose Sigstore, a system to provide widespread software signing capabilities. To do so, we designed the system to provide baseline artifact signing capabilities that minimize the adoption barrier for developers. To this end, Sigstore leverages three distinct mechanisms: First, it uses a protocol similar to ACME to authenticate developers through OIDC, tying signatures to existing and widely-used identities. Second, it enables developers to use ephemeral keys to sign their artifacts, reducing the inconvenience and risk of key management. Finally, Sigstore enables user authentication by means of artifact and identity logs, bringing transparency to software signatures. Sigstore is quickly becoming a critical piece of Internet infrastructure with more than 2.2M signatures over critical software such as Kubernetes and Distroless. 

   more » « less
5. Software Engineering for Data Analytics

   https://doi.org/10.1109/MS.2020.2985775  

   Kim, Miryung (July 2020, IEEE Software)