Using blockchain to secure the software supply chain

Applied Cryptography Security Architecture

DAP/22-03

Active

Defence Funded Research

August 2023 August 2027

49 months

Arnaud Stoz, Thibault Debatty

When developing software, developers and companies usually rely on numerous external libraries. According to GitHub State of the Octoverse Report 2019 [1], open-source projects have an average of 180 package dependencies. The same goes for commercial and closed-source software, although no official numbers are available.

For an attacker, it is enough to compromise one of these dependencies to break into the network or data of the final user of the software [3]. This technique has proven extremely effective, and hence is increasingly used by attackers [2].

This supply chain attack technique can be applied to any programming language and dependency management tool: PHP/composer, Python/PIP, DotNET/NuGet, Java/Maven. All these dependency management systems rely on a central system storing the details of available libraries.

In this project, we plan to study how these central systems can be replaced by a distributed system relying on blockchain. A blockchain system is often compared to a distributed ledger. It allows to guarantee the integrity of stored data: no record can be inserted or modified in the database of libraries without being detected by the users of the database. This property would allow to create a software supply chain that would be protected against supply chain attacks.

References

  1. GitHub State of the Octoverse Report, 2019 https://github.blog/2019-11-06-the-state-of-the-octoverse-2019/
  2. Microsoft Digital Defense Report, September 2020 https://www.microsoft.com/en-us/download/details.aspx?id=101738
[geth] Developer mode

Blockchain Ethereum

If you have already played with geth, you probably have already noticed the --dev option. This option is very handy when you want to quickly start a node to test something. However, you might have found that the developer account which is automatically set is a random account. This randomness can be annoying when trying to automate some testing tasks. The good news is that there is a way to set this developer account. That's what will be explained in this small blog post.

Read
Webinar RMA

Blockchain APT Detection

A few weeks ago, we had the opportunity to present a short webinar on two topics currently under research in our department:

Read
IPFS-API: a go IPFS RPC API client

Blockchain golang

If you already research about web3 and decentralization, you probably stumbled on the Inter Planetary File System (IPFS). However if you wanted to use the API provided by the IPFS in one of your go program, you probably went crazy trying to understand how to use the API to finaly realize the documentation is not even up to date and refer to deprecated library. The IPFS-API module try to fill this gap and provide a basic yet simple to use package to interact with an IPFS RPC API endpoint.

Read
Analyse of a crypto scam

Blockchain Ethereum

If you ever connected to a discord server related to ethereum (geth, ethereum.org) you probably noticed that despite very useful information given about the technology, those servers are also unfortunately full of scammer... Let's have a look at one of them and analyze the scam it proposes.

Read
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept