Macaron: A Logic-based Framework for Software Supply Chain Security Assurance
Behnaz Hassanshahi, Trong Nhan Mai, Alistair Michael, Benjamin Selwyn Smith, Sophie Bates, Padmanabhan Krishnan
22 November 2023
Many software supply chain attacks exploit the fact that what is in a source code repository may not match the artifact that is actually deployed in one’s system. This paper describes a logic-based framework that analyzes a software component and its dependencies to determine if they are built in a trustworthy fashion. The properties that are checked include the availability of build provenances and whether the build and deployment process of an artifact is tamper resistant. These properties are based on the open-source community efforts, such as SLSA, that enable an incremental approach to improve supply chain security. We evaluate our tool on the top-30 Java, Python, and npm open-source projects and show that the majority still do not produce provenances. Our evaluation also shows that a large number of open-source Java and Python projects do not have a transparent build platform to produce artifacts, which is a necessary requirement to increase the trust in the published artifacts. We show that our tool fills a gap in the current software supply chain security landscape, and by making it publicly available the open-source community can both benefit from and contribute to it.
Venue : Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED'23) co-located with CCS'23