策略透明度:授权逻辑满足一般透明度以证明软件供应链的完整性

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI:10.1145/3560835.3564549

Andrew Ferraiuolo, Razieh Behjati, Tiziano Santoro, Ben Laurie

{"title":"策略透明度:授权逻辑满足一般透明度以证明软件供应链的完整性","authors":"Andrew Ferraiuolo, Razieh Behjati, Tiziano Santoro, Ben Laurie","doi":"10.1145/3560835.3564549","DOIUrl":null,"url":null,"abstract":"Building reliable software is challenging because today's software supply chains are built and secured from tools and individuals from a broad range of organizations with complex trust relationships.In this setting, tracking the origin of each piece of software and understanding the security and privacy implications of using it is essential. In this work we aim to secure software supply chains by using verifiable policies in which the origin of information and the trust assumptions are first-order concerns and abusive evidence is discoverable. To do so, we propose Policy Transparency, a new paradigm in which policies are based on authorization logic and all claims issued in this policy language are made transparent by inclusion in a transparency log. Achieving this goal in a real-world setting is non-trivial and to do so we propose a novel software architecture called PolyLog. We find that this combination of authorization logic and transparency logs is mutually beneficial - transparency logs allow authorization logic claims to be widely available aiding in discovery of abuse, and making claims interpretable with policies allows misbehavior captured in the transparency logs to be handled proactively.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"9 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"Policy Transparency: Authorization Logic Meets General Transparency to Prove Software Supply Chain Integrity\",\"authors\":\"Andrew Ferraiuolo, Razieh Behjati, Tiziano Santoro, Ben Laurie\",\"doi\":\"10.1145/3560835.3564549\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Building reliable software is challenging because today's software supply chains are built and secured from tools and individuals from a broad range of organizations with complex trust relationships.In this setting, tracking the origin of each piece of software and understanding the security and privacy implications of using it is essential. In this work we aim to secure software supply chains by using verifiable policies in which the origin of information and the trust assumptions are first-order concerns and abusive evidence is discoverable. To do so, we propose Policy Transparency, a new paradigm in which policies are based on authorization logic and all claims issued in this policy language are made transparent by inclusion in a transparency log. Achieving this goal in a real-world setting is non-trivial and to do so we propose a novel software architecture called PolyLog. We find that this combination of authorization logic and transparency logs is mutually beneficial - transparency logs allow authorization logic claims to be widely available aiding in discovery of abuse, and making claims interpretable with policies allows misbehavior captured in the transparency logs to be handled proactively.\",\"PeriodicalId\":208151,\"journal\":{\"name\":\"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses\",\"volume\":\"9 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-11-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3560835.3564549\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3560835.3564549","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

摘要

构建可靠的软件是具有挑战性的，因为今天的软件供应链是由具有复杂信任关系的广泛组织的工具和个人构建和保护的。在这种情况下，跟踪每个软件的来源并了解使用它的安全性和隐私含义是必不可少的。在这项工作中，我们的目标是通过使用可验证的政策来保护软件供应链，其中信息的来源和信任假设是一级问题，滥用证据是可发现的。为此，我们提出了策略透明度，这是一种新的范例，其中策略基于授权逻辑，并且通过将此策略语言发布的所有声明包含在透明度日志中，从而使其透明。在现实世界中实现这一目标并非易事，为此我们提出了一种名为PolyLog的新颖软件体系结构。我们发现授权逻辑和透明日志的这种组合是相互有益的——透明日志允许广泛使用授权逻辑声明，帮助发现滥用，并且使用策略解释声明允许主动处理透明日志中捕获的不当行为。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Policy Transparency: Authorization Logic Meets General Transparency to Prove Software Supply Chain Integrity

Building reliable software is challenging because today's software supply chains are built and secured from tools and individuals from a broad range of organizations with complex trust relationships.In this setting, tracking the origin of each piece of software and understanding the security and privacy implications of using it is essential. In this work we aim to secure software supply chains by using verifiable policies in which the origin of information and the trust assumptions are first-order concerns and abusive evidence is discoverable. To do so, we propose Policy Transparency, a new paradigm in which policies are based on authorization logic and all claims issued in this policy language are made transparent by inclusion in a transparency log. Achieving this goal in a real-world setting is non-trivial and to do so we propose a novel software architecture called PolyLog. We find that this combination of authorization logic and transparency logs is mutually beneficial - transparency logs allow authorization logic claims to be widely available aiding in discovery of abuse, and making claims interpretable with policies allows misbehavior captured in the transparency logs to be handled proactively.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

自引率

0.00%

发文量