Trusted Delivery Mechanisms for Software Supply Chains Based on Trusted Execution Environment
Pages 19 - 25
Abstract
The software download process is a crucial component of the software supply chain. However, it is within this phase that certain malicious attacks, particularly upgrade and update hijacking problems, pose significant threats to the security of users’ devices and data. This paper introduces a trusted delivery mechanism for the software supply chain based on a trusted execution environment. Initially, the security protection mechanism of the trusted execution environment is leveraged to enhance the security and trustworthiness of the server at the hardware level. Subsequently, a decentralized model is established using consortium blockchain technology to ensure the transparency and traceability of the download process. The effectiveness of this mechanism in ensuring the trustworthiness of software supply chain security is verified through simulation experiments, providing a novel idea and method for addressing the security challenges associated with software upgrades.
References
[1]
Elli Androulaki, Artem Barger, Vita Bortnikov, Christian Cachin, Konstantinos Christidis, Angelo De Caro, David Enyeart, Christopher Ferris, Gennady Laventman, Yacov Manevich, 2018. Hyperledger fabric: a distributed operating system for permissioned blockchains. In Proceedings of the thirteenth EuroSys conference. 1–15.
[2]
Andrea Di Sorbo, Fiorella Zampetti, Aaron Visaggio, Massimiliano Di Penta, and Sebastiano Panichella. 2023. Automated identification and qualitative characterization of safety concerns reported in uav software platforms. ACM Transactions on Software Engineering and Methodology 32, 3 (2023), 1–37.
[3]
William Enck and Laurie Williams. 2022. Top five challenges in software supply chain security: Observations from 30 industry and government organizations. IEEE Security & Privacy 20, 2 (2022), 96–100.
[4]
Martin Fejrskov, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis. 2022. Detecting DNS hijacking by using NetFlow data. In 2022 IEEE Conference on Communications and Network Security (CNS). IEEE, 273–280.
[5]
Xiaoshao Lv, Hui Shu, Fei Kang, and Yuyao Huang. 2021. A software upgrade security analysis method based on program analysis. In 2021 IEEE International Conference on Computer Science, Electronic Information Engineering and Intelligent Control Technology (CEI). IEEE, 536–541.
[6]
Jeferson Martínez and Javier M Durán. 2021. Software supply chain attacks, a threat to global cybersecurity: SolarWinds’ case study. International Journal of Safety and Security Engineering 11, 5 (2021), 537–545.
[7]
Jonathan M McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB reduction and attestation. In 2010 IEEE Symposium on Security and Privacy. IEEE, 143–158.
[8]
Imanol Mugarza, Jose Luis Flores, and Jose Luis Montero. 2020. Security issues and software updates management in the industrial internet of things (iiot) era. Sensors 20, 24 (2020), 7160.
[9]
Pegah Nikbakht Bideh and Christian Gehrmann. 2022. RoSym: Robust Symmetric Key Based IoT Software Upgrade Over-the-Air. In Proceedings of the 4th Workshop on CPS & IoT Security and Privacy. 35–46.
[10]
Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber’s knife collection: A review of open source software supply chain attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17. Springer, 23–43.
[11]
Sandro Pinto and Nuno Santos. 2019. Demystifying arm trustzone: A comprehensive survey. ACM computing surveys (CSUR) 51, 6 (2019), 1–36.
[12]
J Teng, Y Guang, H Shu, 2020. Automatic detection method for software upgrade vulnerabilities based on traffic analysis. Chinese Journal of Network and Information Security 6, 01 (2020), 94–108.
[13]
Giuliana Santos Veronese, Miguel Correia, Alysson Neves Bessani, Lau Cheuk Lung, and Paulo Verissimo. 2011. Efficient byzantine fault-tolerance. IEEE Trans. Comput. 62, 1 (2011), 16–30.
[14]
Bing Zhang. 2020. A software upgrade security analysis method on network traffic classification using deep learning. In 2020 International Conference on Urban Engineering and Management Science (ICUEMS). IEEE, 568–574.
[15]
Mingming Zhang, Xiaofeng Zheng, Kaiwen Shen, Ziqiao Kong, Chaoyi Lu, Yu Wang, Haixin Duan, Shuang Hao, Baojun Liu, and Min Yang. 2020. Talking with familiar strangers: An empirical study on https context confusion attacks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1939–1952.
Index Terms
- Trusted Delivery Mechanisms for Software Supply Chains Based on Trusted Execution Environment
Recommendations
TC4SE: A High-Performance Trusted Channel Mechanism for Secure Enclave-Based Trusted Execution Environments
Information SecurityAbstractWe present TC4SE, a trusted channel mechanism suitable for secure enclave-based trusted execution environments, such as Intel SGX, that leverages the existing security properties provided by the TEE remote attestation scheme and Transport Layer ...
Trusted Execution Environment: What It is, and What It is Not
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Nowadays, there is a trend to design complex, yet secure systems. In this context, the Trusted Execution Environment (TEE) was designed to enrich the previously defined trusted platforms. TEE is commonly known as an isolated processing environment in ...
A Trusted Execution Environment Architecture for Big Data Computing Platform Based on TPCM
ICCNS '23: Proceedings of the 2023 13th International Conference on Communication and Network SecurityThis paper proposes a method for implementing a trusted execution environment for a computing platform based on Trusted Platform Control Module (TPCM). The method is based on a dual-architecture, which maintains the original design of the device and ...
Comments
Information & Contributors
Information
Published In
December 2023
363 pages
ISBN:9798400707964
DOI:10.1145/3638782
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 April 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ICCNS 2023
ICCNS 2023: 2023 13th International Conference on Communication and Network Security
December 6 - 8, 2023
Fuzhou, China
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 27Total Downloads
- Downloads (Last 12 months)27
- Downloads (Last 6 weeks)3
Reflects downloads up to 07 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format