TRS.20.003 – SecureSECO
Software is everywhere. The worldwide software ecosystem that produces and maintains software, is a trust-rich part of the world. Through software’s life cycle, software engineers, software users, and other stakeholders collaboratively place their faith in major hubs in the ecosystem, such as package managers, repository services, and programming language ecosystems. However, there are many parts of the software supply chain in which this trust is regularly broken.
We introduce a theory of software provenance. Through comprehensive software provenance of software artifacts, we can create a layer of trust under the software ecosystem that comprises all software engineers worldwide. The theory is effectuated in the SecureSECO platform. SecureSECO stores data about the life cycle of software in a distributed ledger, with the goal of providing provenance data to each actor in the worldwide software ecosystem about each software engineering product. Such data includes source code fragments, call graphs, dependency graphs, and build information, and it is signed with software engineer identification. Through advances in machine learning and pattern detection, we enable worldwide code fragment search, detect vulnerabilities and malware through call graph pattern matching, and introduce automatic consensus-based reconfiguration of compromised systems.
With a theory of software provenance, we create a trustworthy worldwide software ecosystem where *software components and their provenance are trusted* and where *misuse, vulnerabilities, and dependency problems are detected and fixed*.
Distributed Ledger Technology, Secure Software Ecosystem, Software Vulnerabilities
CWI, Leiden University (LEI), Technische Universiteit Delft (TUD)
|Organisation||Utrecht University (UU)|
|Name||Dr. S. (Slinger) Jansen|