当前位置:首页 > 报告详情

利用代码基因组框架揭露供应链攻击.pdf

上传人: 竿*** 编号:981612 2025-11-29 30页 11.60MB

1、#BHUSA BlackHatEventsUncovering Supply Chain Attack with Code Genome FrameworkDhilung Kirat,Jiyong Jang,Doug Schales,Ted Habeck,Ian Molloy,JR Rao#BHUSA BlackHatEvents2AI Supply Chain Security TeamIBM ResearchDhilungDhilung KiratKiratJiyongJiyong JangJang#BHUSA BlackHatEvents$foo install bar Signed w

2、ith a certificate.Lists dependencies.Do you trust it?3#BHUSA BlackHatEvents“You cant trust code that you did not totally create yourself.”Ken ThompsonTURING AWARD LECTURE Reflections on Trusting Trust To what extent should one trust a statement that a program is free of Trojan horses?Perhaps it is m

3、ore important to trust the people who wrote the software.KEN THOMPSON INTRODUCTION I thank the ACM for this award.I cant help but feel that I am receiving this honor for timing and serendip-ity as much as technical merit.UNIX 1 swept into popu-larity with an industry-wide change from central main-fr

4、ames to autonomous minis.I suspect that Daniel Bob-row 1 would be here instead of me if he could not afford a PDP-10 and had had to settle for a PDP-11.Moreover,the current state of UNIX is the result of the labors of a large number of people.There is an old adage,Dance with the one that brought you

5、,which means that I should talk about UNIX.I have not worked on mainstream UNIX in many years,yet I continue to get undeserved credit for the work of others.Therefore,I am not going to talk about UNIX,but I want to thank everyone who has contrib-uted.That brings me to Dennis Ritchie.Our collaboratio

6、n has been a thing of beauty.In the ten years that we have worked together,I can recall only one case of miscoordination of work.On that occasion,I discovered that we both had written the same 20-line assembly language program.I compared the sources and was as-tounded to find that they matched chara

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: - **供应链攻击案例**:文章列举了多个供应链攻击案例,如SolarWinds、Kaseya等,强调了供应链攻击的严重性和影响。 - **供应链安全问题**:指出供应链安全面临的问题,包括代码来源不透明、工具链安全、证书泄露等。 - **Code Genome框架**:介绍了IBM Research开发的Code Genome框架,用于检测供应链攻击,通过代码指纹识别恶意代码。 - **SBOM的重要性**:强调软件成分清单(SBOM)的重要性,但指出验证SBOM的正确性和完整性存在挑战。 - **知识图谱**:提出使用知识图谱来提高代码粒度,帮助识别和分类代码。 - **开源Code Genome**:宣布Code Genome框架开源,并展示了其在XZ后门分析中的应用。 - **未来计划**:计划扩展Code Genome框架以支持更多包和归档格式,并优化代码归一化。 关键点: - 供应链攻击案例:SolarWinds、Kaseya等,成本超过100亿美元。 - Code Genome框架:用于检测供应链攻击,通过代码指纹识别恶意代码。 - SBOM验证挑战:如何验证SBOM的正确性和完整性。 - 知识图谱:提高代码粒度,帮助识别和分类代码。 - 开源Code Genome:支持更多包和归档格式,优化代码归一化。
揭秘供应链攻击" "SBOM验证难题,代码基因如何破局?" "从xz后门看供应链安全,代码基因框架有何优势?"
客服
商务合作
小程序
服务号
折叠