It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security

Fourné, Marcel; Wermke, Dominik; Enck, William; Fahl, Sascha; Acar, Yasemin

doi:10.1109/sp46215.2023.10179320

Cited by 6 publications

(1 citation statement)

References 99 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The reproducible build assures the consistency and integrity of the built software, making it more difficult for attackers to alter the code during its compiling/construction. Fourné et al, in [48], discussed the importance of the reproducible build for software security and provided recommendations on integrating reproducible builds in open-source software. It can be used in our software assurance scheme to generate the proof using the executable files because, in a reproducible build, the executable files are the same regardless of the environment in which it is built.…”

Section: Assuring Beyond the Software Codementioning

confidence: 99%

Distributed and Lightweight Software Assurance in Cellular Broadcasting Handshake and Connection Establishment

Purification,

Kim,

Kim

et al. 2023

Electronics

View full text Add to dashboard Cite

With developments in OpenRAN and software-defined radio (SDR), the mobile networking implementations for radio and security control are becoming increasingly software-based. We design and build a lightweight and distributed software assurance scheme, which ensures that a wireless user holds the correct software (version/code) for their wireless networking implementations. Our scheme is distributed (to support the distributed and ad hoc networking that does not utilize the networking-backend infrastructure), lightweight (to support the resource-constrained device operations), modular (to support compatibility with the existing mobile networking protocols), and supports broadcasting (as mobile and wireless networking has broadcasting applications). Our scheme is distinct from the remote code attestation in trusted computing, which requires hardwarebased security and real-time challenge-and-response communications with a centralized trusted server, thus making its deployment prohibitive in the distributed and broadcasting-based mobile networking environments. We design our scheme to be prover-specific and incorporate the Merkle tree for the verification efficiency to make it appropriate for a wireless-broadcasting medium with multiple receivers. In addition to the theoretical design and analysis, we implement our scheme to assure srsRAN (a popular open-source software for cellular technology, including 4G and 5G) and provide a concrete implementation and application instance to highlight our scheme’s modularity, backward compatibility to the existing 4G/5G standardized protocol, and broadcasting support. Our scheme implementation incorporates delivering the proof in the srsRAN-implemented 4G/5G cellular handshake and connection establishment in radio resource control (RRC). We conduct experiments using SDR and various processors to demonstrate the lightweight design and its appropriateness for wireless networking applications. Our results show that the number of hash computations for the proof verification grows logarithmically with the number of software code files being assured and that the verification takes three orders of magnitude less time than the proof generation, while the proof generation overhead itself is negligible compared to the software update period.

show abstract

Section: Assuring Beyond the Software Codementioning

confidence: 99%