The software supply chain attacks have increased multifold in recent times. Especially, supply chain attacks on open-source software grew astronomically 650% in 2021 according to the State of the Software Supply Chain report published by security provider Sonatype. Teh commercial software are also not untouched by these attacks. The SolarWinds attack was one of the largest in terms of impact and spread. The European Union Agency for Cybersecurity (ENISA) in its report Threat Landscape for Supply Chain Attacks has analysed 24 supply chain attacks. The report points out that 50% of supply chain attacks in 2021 emanated from Advanced Persistent Threat (APT) actors. Some of findings are shown in the image below.
source: https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks
asvin has designed and developed a prototype to secure software supply chain using the distributed ledger technology (DLT). It tracks the trail of a software from development until it is installed on a device. It straightens the complete software life cycle by checking its integrity with one way hash function and recording the events on a distributed ledger. There are multiple stages between software development and installation of a software on a device. asvin envisioned each stage plays a crucial role in overall security of a software. The stages are shown in the figure below.
Development
In this stage, developers come together to create source code for a software. Mainly, they use version control platforms based on Git to manage project code in repositories. GitLab, GitHub and Bigbucket are popular source code management platforms. External libraries and packages are merged with project source code and compiled to build final software.
Quality Management
Not only functionality but quality of a software is also paramount and absence of it could make a software liability for its consumers. In this stage, a software go through rigorous static and dynamic security testing. It checks for functional defects, code quality and security vulnerabilities.
Deploy to Distribution Platform
A distribution platform facilitates over the air updates. It provides device management, software management and rollout management. It gives an real time snapshot of registered devices and their current software versions. Once a software clears the testing stage it is uploaded to a distribution platform.
Over the Air Distribution
Once devices are registered and software are uploaded to a distribution platform a rollout can be started. A rollout makes a software available to be downloaded for edge devices. A software and group of devices are associated with a rollout.
Installation on Edge Devices
They are small embedded devices which control a process in a large system. They are designed to perform a specialized task efficiently. For an example electronic control unit in car, temperature/humidity module installed in a production plant etc. The edge devices keep polling for new updates. Once a update is available they download the associated software and check its integrity and install it. After a successful installation acknowledgement is sent the distribution platform.
asvin Prototype
In the prototype, asvin utilizes Gitlab, ESP8266 development board and Hyperledger besu based DLT solution to demonstrate the secure software supply chain.
GitLab
The GitLab CI/CD pipeline was utilized to simulate software development, build, test and deployment stages. In reality other platforms and mechanisms can be used to perform these tasks. For prototyping, CI/CD pipeline is an ideal technology. We quickly built multiple stages in a pipeline to automatically build, test and deploy software. The figure below shows stages of GitLab CI/CD pipeline.
Distribution Platform
asvin’s Beehive was employed to distribute Over the Air updates. It is an amalgamation of peer to peer storage and distributed ledger technologies. It exposes its services using REST API endpoints. The edge devices can easily interact to check for updates and download automatically once are accessible.
Distributed Ledger
asvin made use of Alastria’s Network B for distributed ledger. It is a private permissioned blockchain network powered by Hyperledger Besu. The network is composed of bootnodes, validators and regular nodes. For the prototype, one node is deployed in the network with smart contract. Each event happening at different stages are recorded in the distributed ledger. Because of inherent immutability and transparency DLT is an ideal solution for tracking software in a supply chain. The distributed ledger is changed by submitting singed transaction using REST API endpoint.
ESP8266
The ESP8266 development board was used as an edge device. It is packed with Tensilica 32-bit RISC CPU Xtensa LX106 microcontroller, 16 Digital I/O pins, 64 KB SRAM and 2.4 GHz WiFi module. It is perfect to demonstrate technology in a prototype. A LCD-1602A was integrated with ESP8266 board to display current version of software.
Sequence Flow
The prototype demonstration video has following flow.
- Change current version of software in source and make a commit to GitLab project
- Software is built, tested, recorded on a distributed ledger
- Quality management is simulated in QA stage and results recorded in distributed ledger
- Software deployed to distribution platform and updated on distributed ledger
- Rollout is started with the software and details are documented on distributed ledger
- Edge device download and install software and send acknowledgement to distribution platform
asvin has been working on Distributed Software Bills of Materials (D-SBOM) to strengthen its software supply chain solution. The D-SBOM will facilitate composition of software. It will contain package information of all dependencies in a software. 2022 is going to be an exciting one.