"Distributed Software Build Assurance for Software Supply Chain Integri" by Ken Lew, Arijet Sarker et al.
 

Publication Title

Applied Sciences

Document Type

Article

Abstract/Description

Computing and networking are increasingly implemented in software. We design and build a software build assurance scheme detecting if there have been injections or modifications in the various steps in the software supply chain, including the source code, compiling, and distribution. Building on the reproducible build and software bill of materials (SBOM), our work is distinguished from previous research in assuring multiple software artifacts across the software supply chain. Reproducible build, in particular, enables our scheme, as our scheme requires the software materials/artifacts to be consistent across machines with the same operating system/specifications. Furthermore, we use blockchain to deliver the proof reference, which enables our scheme to be distributed so that the assurance beneficiary and verifier are the same, i.e., the node downloading the software verifies its own materials, artifacts, and outputs. Blockchain also significantly improves the assurance efficiency. We first describe and explain our scheme using abstraction and then implement our scheme to assure Ethereum as the target software to provide concrete proof-of-concept implementation, validation, and experimental analyses. Our scheme enables more significant performance gains than relying on a centralized server thanks to the use of blockchain (e.g., two to three orders of magnitude quicker in verification) and adds small overheads (e.g., generating and verifying proof have an overhead of approximately one second, which is two orders of magnitude smaller than the software download or build processes).

Department

Computer Science and Information Systems

First Page

9262

Last Page

9278

DOI

10.3390/app14209262

Volume

14

Issue

20

ISSN

2076-3417

Date

10-11-2024

Download
Find it in the Library

Plum Print visual indicator of research metrics
PlumX Metrics
  • Usage
    • Downloads: 1
  • Captures
    • Readers: 8
  • Mentions
    • Blog Mentions: 1
    • News Mentions: 1
see details

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.