diff --git a/talks-public/2021-05-19-telecom-paris/this/r-b-approach.drawio b/talks-public/2021-05-19-telecom-paris/this/r-b-approach.drawio new file mode 100644 index 0000000..a06de60 --- /dev/null +++ b/talks-public/2021-05-19-telecom-paris/this/r-b-approach.drawio @@ -0,0 +1 @@ +7Vxbc5s4G/41mdm9MIMECLhMnLRp2k76bdrudm92OMg2CUYu4Njpr/8kECch29gGJ23j3WmMBDLofd7To1ecaeP5+m3sLGYfiY/DM6j66zPt8gxCoAOD/mEtT3mLadh5wzQO/LxJrRrugh+YX1m0LgMfJ40TU0LCNFjwRpA3eiSKsJc22pw4JqvmaRMS+o2GhTPFrYY7zwnbrX8HfjrLWy1DrdqvcTCdFb8MVN4zd4qTeUMyc3yyqjVpV2faOCYkzb/N12McsslrzsubDb3ljcU4SrtcMHmPbr9HweUVJLeL5GZ+k3jXI50P8+iES/7EZxCFdMCLCaHj0ttOn/hcoO9LUnSMkkxS5/QEe7Gu+ui3Kfv7LvLxAtN/sjHcZUCnnY9L7zAfOj+TT075KzAmS3odu2lAu1ezIMV3C8djvSuKMdo2S+ch754EYTgmIYmzazXfwdbEo+1JGpMHXOtBnoXdCe0JHReHn0gSpAGJaJ9HbxHTky4ecZwGVPAfhBPmge+ze7twwmAqveKcd7gkTcm8fKa6aIppplfgda2Ji+otJnOcxk/0FN6rQa44XG80TVVs3rSqgKgVcJvVQGjxNodjf1qOXsGDfuEI2Qct6itaXiZaCnP5JByfAio3P+4fvlyv1X+9e3/+cLv6MgbWCGoSqLzKTiI7KpiG7ExTaeu5bkiEB4aTnnG0ogMg0/SryB8tEzqndISnJMXzYlg3rlR8U8ugtsDAlq/L8GRBV0Po58GTqdkNPAEEWnACuimDkzYQnHR9IDi5QeSw+xMR4wdUjIG7zASxN3pU2k3idEamJKJSJWTBMXOP0/SJx6jOMiVNROF1kP5T+/6NDUV1OT+6XPORs4MnfpCQZezhTzgO6EzjmME1iKa0k0ExdeIpTiWdqgRCKbvLzfjJf2ibyvMT8x/dJkyOEuw3IueNeBypiqoCs4FJg9uXGIdOGjw2Y20Z/Pjon0iQwaU4hUwmCb1ZEZ/lTRxhAY8PjDdAth7dVIh1qDQnjpcmXeFK04kF+0pl7YQhDsk0duZNQOamrEhb6CReLAosiRd+qjqkhrNpWp3Y41oA2Kj5I1OsU6ffiwkzDFVBWgMxlswrAllIgwZziu0IhunAHT+sLMZV1XrxLFaFHdQkmrUdbhmKWHKnwh+qzZXUm44LWM0huD3Mr+pf5c2NGp8snOhwjecTvC2syX8gb/aIj38rbYeGrWhWB20Hp9R2cHyuC9Q9HMAiJh5Oupv/lrTrUOBoma+njJVTJiFZeTPqYpQ5pir0H4n/S1ISZ9SXFAB7BhfdZa2rdifLXlAdpxH1sxj2jbO5MwI7lUHWTNEgm80hePQ6lEHWZRxCHxZ5jxisbpl/K6tsoiYBCSygaPCZQzBDZpT7zuP6zsmKCE5VbL0RxLGs6HRhXJHy75O3Iatpq0eQD3KkZQFQVUwBXxXvtcO8tEYr8VYMpXcLHE+ZTxonzifJMl0su2eT1CikMsNV8GARibBAmvGmndxWyYJtt2lbwb1HgGFbYoABoJRRldgtOJjdgqeVfhD9nsJXoQJE4VsnE718zWwgyb+umR2bdtpNr1EeP9vyasF3HJiHgJ7DHahui3dg1xRG+qhWx1jk6AxGWEUXh+gvg5E+5mZK6TgOYROllHNHh66f/crpTKnJT8JxTdurCLSu7jpUoLkZeEdpvDUQPvZyBz8tlYQEibIEVa0+7ZgPwTLrqEtYqzip/m16D5FfJuI8RFLDIMKj4uZZL+NojNdlpgNzBSECsBW7/tFfgIkoCihPGxT0teo0RHBRZzqeM7gQ4dMKLvpbr5I+pibzHiJUIv+cVcGyoDp0kiTw5HLO6JhK1GC7oCN64//UD2rwYIfVZdlRcV0niW7lrnbGlV05rppKyyqrirZjVzShmGIczHEZAhcP9dZQ/cGN3P7vbvXuxrz/PL4Ht/jdzf2br6MeSsKgLFbxyJxB4nCyok8SoizSZgdTpjH8O71LpjvZd3Z/3HJCvUh4LxzvYZoNJnAkeS+JfRyLhAodp5ZA28jUzlE/rg1ZgmszzJYvG4oGcUYP449v5vq3Ufh3AB+mqmuZo6HoT2+GvYdkKakjVNcX5+eX+8Y5FDYhWaa7eZF6jMMvqkc3fhBjj/MbK5xkK7yc8YC5sWSDuE6ShTcSomViediTEi2uZbBy0H5WeSzBrGjtYkGkt3GCkGh9ekPKoV4tofYv3ershBnGwDewKZthpokOaoW2W8POF+JyEIJNgVqGAg1Lh8imXTYskqZ9/Y+4HEgbhvI+cvsxFI9K/zpzptuRm+SZqSo2qWugaeZLsCRUWgxDgimxzcqUoDbOO5Q2t1xoHy6otSdBtgxT+KmGE4KDGRcwVGH7K4yGgpG4EcqwlXYsMxyMMPr3/V8ODiZv35nJ6vrjp8C9KhZ1nqcStMrDv53VsjNpqrZRAPWUS/qIsKNbOzaJNpqV4UCsHenPr2x7zFMtzLK9q97MCTrvSij5N14euNMMuGUecrtMGVvI25uUUJuz60FVNZreisuv8kpOOFDRkFTEbQJtmKLsrYq4tW7ocC3tuhfjWC0VfDkwBmQftj3oqfS0WFv3AvxKlTNfKtbmy/VaG0iv0RuIL6+dz9c3GtbdR9v7+tdlQSm8BCe8nS/tpN5b92HuLAkuTuzPEHQVzfqrfXvvfj4HdvrBfW9ML358n/WgrcI+cdUrw82qUUOY/ddW6j+WURovkxT7f/6MNVAttZSAZ3O8jISASmuvYoGhqD8pGECHreAsYllsfHr+cg/HLU5X954VwXyZ7RQC6JKVPYAYfXL8xMhXNYZKRr8sKHgxdT7MxEzSVUavqz5+pL6FOpyk7e/2aRmyvGwymUA56+kjFxmn2obd9NO8DqJaGKgvBtQXCdqo3K4Qu93v8+Kzh/KlvXbE1cuXfqFo61gQFDGYrgBU/whLPDQiQ/XqBa1l4mykNAaQvASgj2hN+ryb+duNe3m4z2c4iqfuH9n+P/r/OMNV4/ufZ0V9TIa/iTMPwqf8ypKFozZEY/TVDIePmKl9q6c5iBCLNLryW2V9EYnnTtjsXtXKc3RVLTtDGlnieJQUuZ/kehaGjIK8qjfrr9f+ZJ1p7ETJhF5VXB/h8oQVif3m8PXL/SBZhA6fliDKuIHyvkPipPURRZXFU4X2sbcpqG+D9Hrpdt0jxQOrHW5gA3O4IxLaolgbtchuqgBqFpEB2g9lhIWxU3O0ofiLthW+q5z6I01TqZK85HD2uFcBaGZrP4clZZQUbSChyFGGnj+oNWATvNTaKKi93QHoqKTlGnPTQ82jdG6O51SlbwnDSmaDPgTRcp2bs9o7XpgjcBaLbHByTDXJi037tsBwI0KAQg1a7WNINEcWVg6XCx6/jNsTM8BmN+fUf0WOYC+wlEyBBBwnJQpedulHSf2ddSX9N2/gFXi6nezglpqI56o0MYWlHu3w0pLmC8ugNVhpiRx29ivs9oKd8bywA4ptmyawoW21lo+1dmFaZxiKFbb2YCtc8qiphxfOvJam7FmachTVbph6EzGm3fKgwxWmyEE0VJlc1zrbw3cdnhBNTTC1oNFC0UVRcSvg7o01vhqP+wETKl6uwsGE2qG6jdpY0tDeSKKH1VvHc+tVvbtdu/o/7Vxbc5s4FP41mWkf7OFisPOYpGm63e40bZrZ5qkjg4xpBWKEiJ399SuBMBfJNgkGnEs600gHXeB856ZzCCfmRbC+IiBa/oNdiE4MzV2fmB9ODEPXpjP2i1MeMop1amQEj/iuGFQQbvz/YD5TUBPfhXFlIMUYUT+qEh0chtChFRogBK+qwxYYVXeNgAclwo0DkEz913fpMqPOLK2gf4K+t8x31jVxJQD5YEGIl8DFqxLJvDwxLwjGNGsF6wuIOPNyvnxKPs6/BXe/vqPb5dfzi8/ffkfLUbbYx8dM2TwCgSF98tLXPz5//Txzzq6W36Mfn3/q8Mvf30f6JFv7HqBEMCwE/j1kpHniM1ZnT04fcnZSuGa3cL6kAWIEnTVjSvAfeIERJowS4pCNPF/4CNVIAPleyLoOewjI6Of3kFCfAXUmLgS+6/JtzldLn8KbCDh8zxUTS0YjOAldyB9F48vjkApRMyasLx6CLQjXNdj38EzfAMk0AOIAUvLA5olVpqbAXgi/LbqrQpImgrQsCVEuMUDIrrdZuMCHNQREj4DL1CW4CARotMKEY/WGmQIzU5uOLQk2u1fYZC2TQPIYt6KtPBHWEczz4dpBeKVbVV5NFPKtEnC7K04ZEqO4SFMu2n4IxAZltjGjHPEmYwRACCLsERCohD03/owb5xEkPrtfLtHVidfFhT0SzRcGxBECrfNV46ytjQ2zqXjvkJatmJkKkDZOqxeQTAkF6DKfK7qY0CX2cAjQZUGt2YJizBeMI8HO35DSB8FQkFBcRTHbk2/0FG6yu8UJceCOgbYITgDx4K4FDTU6BCJAueesBDAK1oup19gPaYGqMa1breoK2e2LSTX8NnfxdEhlA3Vzy1huI+445oS1PN56J7hoaBxNIg9IHdD716ylZa3U+9RKW4LQwUHkIw5TDY7ci38Bc4iucexTH1e8+VY3XwYsx5RgB8ZxIyw2zNcnFWRs1kO1m9nEHFIQ0plp1adDm9bZEKYVrn36s9S+SyGyRO/DWqycdh5Ep3NzPGloju1OzLE+tXaa4+y2OjPHuhzni9C+bnAJjBNEJak5jpC/M0U1ZvbeuLXPAF9Xx60KvPwwSl4dXBtHeCRwmZYElwTJMOcxo8ooQ5M5ZRkqVnXmkXQ5rhCircHw3ic4DGAoS3TV76tkryTsZbk+MUwXwNnCkZSAXbGdGZwvdgULe0ObvQozx5TioJ06WHtjw75RnClRfGUH6y2wrHMTVFM+Vd6o33BQP30u8SDvlEBuFyNaDWPETUFhX5CYiX+LKLFdUkuTlO/tdN1KVe0mmtrr6dtoHLHn52UJRQkixWE7WHu8TDdeILxyloDQcQCZ7P/C5FdMMUlrYUrU6l6OclvQHUCGae1H6NTqE6CtIXpaj2TM9EMJk9ebKNkHrzGuAqwfgbc0TDXEI8oMmqyILowgY3no+FChja/OptaOHrpuqAC1FICedgboRMLlSMOf7kMdrWGoY2w5YfYU6lhDIlagdFcGaSDEjOeBmHy+lyEM3TP+Kg73LQjEse+cHKY215iXZktelk/eCguW01pmjScTfWzUEsfTjV/cU8qTVzuVVzOk1TrORBvTpnHtS81E7/aa5qSaibZVYVCvyU1DnepRIPZCc9G7AdNrhfbhAdOnrXym/jSfKaxQHphyMPzQYxf5gUMYFfkih8YF8XKzcy11u7D4P2XqNv3pw1nkuc79zsJs6XjTqcwzgofSgIib4niHk6i9c5UL1jY3cGrtGs4a2Q1s2ayWKdF7fq/EaJfAfJPtJ8u2cQyyrc9aCaumPzV20rWa1hSn2Z4CJ7NBXH0UNUYrx6wcI6sc4OQQHvCvy08Po1t4tfaie7r+rUPyLRrJ+fFXVWLcbx7sLUIyUIlRCaI6v/p8K4yHROUoKoxK1AZ5l/ewBcbGQJW9q5IZluxcd4l6zc/3kMFR3s3rfne3AzUdtLq4SzCfY3GxA3wGLS4q8dn+jtQLry12gu7AtUUlwlvSoC+wtNgFpIOWFpV4PrMX7Q8X4yjeq9/lco4kxhn0PbjHlxUPB5fir9KeAVy6fKKXAWxUVDwcJ6cH5uRbSfGpwvGS/rilA285aElRjZg6t6NA7PhLih0ANmhJUQ1YK3f5PKsuh/MURkNPMT20z32rJ+4V7Hb5yjfJbibZ9lFK9uuoJqrlvt2bsKmIJ0GUjxfeta/UfcgevnSQ4t27fA3eKaalvXxezJhK5TNCSv7oo73aaWi71NOQ8iypjhZfKUozJLxf0kwt/UnvdHN6wSwsyiilm6rr+gLajrLe6E5P51oXJ0e9aTVDO7Sytwtd5Fw3k9aRw3AgGCHIk6pZlGmeyfHniF0NIV1h8kd9UZ2v41cqpWa2PfF55T1WD87TuxGgyy1DkhDwrS54zIdjWvSSGJKsp5oWs7gW0IRs2zkJQLzl2RBOP3unvLYExF0x2WLNd3DsjbNbubi+ZSBd8f+1Bcy2lStAcvieh+UILmi7oHzzUT3e8biOi7aDA67taTvNSp8D54+XTq4fG+oq27XqNTgZ5I5iJr9bYRTfIyufBfRJZ4cBW0J0WN/xmHxayXdM+3ce+6x8R87lCJxH02zZwSPFdqIul2m483A5OIEf+nGw1WswnnPjiInL0GQYKgcRELo4CNMKq/ZujhmyjOsxTFzMHyd00ycF6L16emputTiCUJE6SY2/w04LCUr3fzPCh8qnSQXFR5jl6eOtMusWH4XNDgDFp3XNy/8B \ No newline at end of file diff --git a/talks-public/2021-05-19-telecom-paris/this/r-b-approach.pdf b/talks-public/2021-05-19-telecom-paris/this/r-b-approach.pdf new file mode 100644 index 0000000..d1799ac Binary files /dev/null and b/talks-public/2021-05-19-telecom-paris/this/r-b-approach.pdf differ diff --git a/talks-public/2021-05-19-telecom-paris/this/security.org b/talks-public/2021-05-19-telecom-paris/this/security.org index 3182456..370729c 100644 --- a/talks-public/2021-05-19-telecom-paris/this/security.org +++ b/talks-public/2021-05-19-telecom-paris/this/security.org @@ -1,117 +1,120 @@ ** Securing the open source supply chain *Software supply chain attacks* are becoming more and more popular and raising in profile. → Cf. /SolarWindws attacks/ (2021), breaching several US govt. branches *** Definition --- Reproducible Builds (R-B) The build process of a software product is *reproducible* if, after designating a specific version of its source code and all of its build dependencies, every build produces *bit-for-bit identical artifacts*, no matter the environment in which the build is performed. *** - R-B allows to *increase trust in binary executables* built from trusted (open source) code by untrusted 3rd-party software vendors (e.g., app stores, distros) - The *[[https://reproducible-builds.org/][reproducible-builds.org project]]* has popularized the notion, is backed by major open source industry players, and has made large open source software collections reproducible (e.g., 95% of Debian packages) *** References :B_ignoreheading: :PROPERTIES: :BEAMER_env: ignoreheading :END: #+BEGIN_EXPORT latex \begin{thebibliography}{} \footnotesize \bibitem{Lamb2021RB} Chris Lamb, Stefano Zacchiroli \newblock Reproducible Builds: Increasing the Integrity of Software Supply \newblock IEEE Software 2021 (to appear, DOI 10.1109/MS.2021.3073045) \end{thebibliography} #+END_EXPORT +** Securing the open source supply chain (cont.) + #+BEAMER: \begin{center}\includegraphics[width=\textwidth]{this/r-b-approach}\end{center} + ** Securing the open source supply chain (cont.) *** - Software Heritage provides key ingredients for R-B pipelines: on-demand archival (e.g., of VCS commits referenced by build recipes) + long-term availability - We have implemented this by integrating the GNU Guix package manager with Software Heritage *** :B_ignoreheading: :PROPERTIES: :BEAMER_env: ignoreheading :END: #+BEAMER: \begin{center}\hfill\includegraphics[height=0.4\textheight]{swh-guix-1}\hfill\includegraphics[height=0.4\textheight]{swh-guix-2}\hfill~\end{center} #+BEAMER: \scriptsize - \url{https://www.softwareheritage.org/2019/04/18/software-heritage-and-gnu-guix-join-forces-to-enable-long-term-reproducibility/} - \url{https://guix.gnu.org/blog/2019/connecting-reproducible-deployment-to-a-long-term-source-code-archive/} ** Tracking of vulnerable source code artifacts *** Software Heritage provides a unique observatory on the (best approximation of) the entire /Software Commons/, i.e., all software published in source code form *** Software provenance tracking at the scale of the world - by following the /transposed/ Software Heritage graph we can locate *all known public occurrences* of source code artifacts (individual source files, entier source tree, commits) in other commits or repositories - we have developed two approaches to do that: 1. database-based (Rousseau et al. EMSE 2020): incremental, answers a fixed set of queries, requires significant disk space 2. compressed-graph-base (Boldi et al. SANER 2020): non-incremental, flexible graph-base querying, fits in RAM - current applications: "intellectual property"/prior art, open source license compliance, software composition analysis (SCA) ** Tracking of vulnerable source code artifacts (cont.) *** Adding in-memory commit timestamps (experimental) Idea: in-memory timestamp array (us precision, 8 bytes each), indexed by revision node id. This enables to efficiently exploit timestamp information during graph visits. *** Finding the /earliest/ commit referencing a source file/dir Early experiment: finding the earliest revision containing a given file using in-memory commit timestamps, on 10 M randomly selected blobs. Mean lookup time: 4.1 ms (avg on 95% percentile: 2.2 ms) *** Tracking vulnerable source code files/trees Given a source file/tree affected by a known vulnerability (e.g., identified by a CVE) we can efficiently identify /all/ commits (and repositories, extending the traversals) that reference it, triggering further inspection. Furthermore, we can efficiently select which commits to filter out during visits, based on commit timestamps of other attributes that can be made to fit in memory (or memory mapped to disk). ** Tracking of vulnerable source code artifacts (cont.) *** v. State-of-the-art industry offerings Similar to what GitHub/GitLab offer as a service, but: - without having to rely on repository scanning, because the "big picture" is already present in the Software Heritage archive by design - independent from the development platform vendor (e.g., a "vulnerable file" primarily hosted on GitHub can be spotted in GitLab repositories and vice-versa) - complementary and synergistic with analyses of vulnerable dependency information (which are also available in Software Heritage via metadata mining) *** Caveats - current granularity stops at the file level and traceability breaks with even just whitespace changes. Increasing tracking granularity to the snippet/line of code level is possible, but untested at this scale yet (cf. research roadmap)