Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
GptHidra
GptHidra is a Ghidra plugin that uses the OpenAI Chat GPT to explain functions. With GptHidra, you can easily understand the purpose and behavior of functions in your codebase. Now with GPT4 Support!
-
ghidra_tools
A collection of Ghidra scripts, including the GPT-3 powered code analyser and annotator, G-3PO.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.
I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.
The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.
I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.
>This feels like this might actually be a use-case for a blockchain or a Merkle Tree.
A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.
I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.
have used Trillian as the basis for their Certificate Transparency implementation.[2]
[0] https://github.com/google/trillian-examples/tree/master/bina...
[1] https://transparency.dev/
[2] https://go.googlesource.com/proposal/+/master/design/25530-s...
[3] https://certificate.transparency.dev/
[4] https://www.sigstore.dev/
>This feels like this might actually be a use-case for a blockchain or a Merkle Tree.
A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.
I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.
have used Trillian as the basis for their Certificate Transparency implementation.[2]
[0] https://github.com/google/trillian-examples/tree/master/bina...
[1] https://transparency.dev/
[2] https://go.googlesource.com/proposal/+/master/design/25530-s...
[3] https://certificate.transparency.dev/
[4] https://www.sigstore.dev/
https://github.com/tenable/ghidra_tools/tree/main/g3po
I suspect there are better ones being worked on though.
https://github.com/slsa-framework/slsa-github-generator#gene... :
> Supply chain Levels for Software Artifacts, or SLSA (salsa), is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
> SLSA defines an incrementally-adoptable set of levels which are defined in terms of increasing compliance and assurance. SLSA levels are like a common language to talk about how secure software, supply chains and their component parts really are.
Related posts
- Pacman-bintrans – Experimental binary transparency for pacman via sigstore/rekor
- Pacman-bintrans – Experimental binary transparency for pacman via sigstore/rekor
- I Love Arch, but GNU Guix Is My New Distro
- CII' FOSS best practices criteria
- Binary transparency logs for pacman, the Arch Linux package manager