• Refine Query
  • Source
  • Publication year
  • to
  • Language
  • 4
  • Tagged with
  • 4
  • 4
  • 4
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.
1

CHALLENGES IN SECURITY AUDITS IN OPEN SOURCE SYSTEMS / UTMANINGAR I SÄKERHETSREVISIONER I SYSTEM MED ÖPPEN KÄLLKOD

Nordberg, Pontus January 2019 (has links)
Today there is a heavy integration of information technology in almost every aspect of our lives and there is an increase in computer security that goes with it. To ensure this security, and that policies and procedures within an organisations related to this security are enforced; security audits are conducted. At the same time, use of open source software is also becoming increasingly common, becoming more a fact of life rather than an option. With these two trends in mind, this study analyses a selection of scientific literature on the topic and identifies the unique challenges a security audit in an open source environment faces, and aims to contribute on how to help alleviate the challenges. The study was performed in the form of a literature review, where the comparison and analysis revealed interesting information regarding the open source specific challenges, including both technical issues as well as challenges stemming from people’s perception and handling of open source software today. The answer to the question “What are the challenges when conducting security audits for open source systems and how can they be alleviated?” shows the main challenges to be too much trust is put in unverified binaries. The report offers suggestions and ideas on how to implement solutions in order to help diminish this challenge through the use and integration of Reproducible Builds, answering the second part of the question.
2

Root Cause Localization for Unreproducible Builds

Liu, Changlin 07 September 2020 (has links)
No description available.
3

Integration of Reproducibility Verification with Diffoscope in GNU Make / Integrering av reproducerbarhetsverifiering med diffoscope i GNU Make

Lagnöhed, Felix January 2024 (has links)
Software Supply Chain attacks are becoming more frequent. It is not enough to trust the source code of a project; the build process can insert malicious contents into build artefacts. This calls for the need of valid verification methods regarding the build process, and a good way of doing so is ensuring that the build process is deterministic. This means, that given two binaries built from the same source code and in the same environment, the resulting build artefacts should be bit-wise identical. There are existing tools that check this, but they are not integrated into build systems. This thesis resulted in an extension of GNU make which is called rmake, where diffoscope - a tool for detecting differences between a large number of file types - was integrated into the workflow of make. rmake was later used to answer the posed research questions for this thesis. We found that different build paths and offsets are a big problem as three out of three tested Free and Open Source Software projects all contained these variations. The results also showed that gcc’s optimisation levels did not affect reproducibility, but link-time optimisation embeds a lot of unreproducible information in build artefacts. Lastly, the results showed that build paths, build ID’s and randomness are the three most common groups of variations encountered in the wild and potential solutions for some variations were proposed.
4

Decentralized Validation of Reproducible Builds : A protocol for collaborative and decentralized validation of package reproducibility / Decentraliserad validering av reproducerbara byggen : Ett protokoll för kollaborativ och decentraliserad validering av paketreproducerbarhet

Moritz, Johan January 2023 (has links)
As the threat of supply-chain attacks grows, the need for techniques to protect software integrity likewise increases. The concept of reproducible builds is one such protection. By ensuring that a package can be rebuilt in the exact same way every time, reproducible builds allow users to notice when a package has changed even though its source code stays the same. Thus, the knowledge of which packages are reproducible and therefore easier to trust is a crucial part of this protection mechanism. Current strategies for validating and distributing this information rely on the work of a small number of individual entities with limited coordination in-between them, leading to user confusion because of the lack of a central authority. This work describes a protocol for decentralized coordination and validation of package reproducibility based on hidden votes to limit collusion and a reward scheme to ensure collaboration. The protocol uses the Hyperledger Fabric blockchain as supporting infrastructure, gaining the benefits of high availability, integrity of results and decision traceability from its decentralized nature. To test the protocol, a formal specification was written in TLA+ and validated through model checking. The results showed that, at least for the tested networks, the protocol produces valid results and enforces collaboration between users. Next steps for the project would be to build a functional prototype of the system to test its performance characteristics as well as studying the system actor assumptions made in the protocol design. / Likt hotet från leveranskedjeattacker har ökat, ökar även behoven av skyddstekniker för att säkerställa riktigheten hos mjukvara. Ett sådant typ av skydd ges av reproducerbara byggen. Om ett mjukvarupaket kan byggas exakt likadant varje gång så möjliggör det för användare att upptäcka om paketet har förändrats trots att dess källkod inte har gjort det. Att kunna veta vilka paket som är reproducerbara och därmed lättar att lita på är således en central del i denna skyddsmekanism. Nuvarande strategier för validering och distribution av sådan information bygger på arbete från ett fåtal individer och organisationer med begränsad koordinering däremellan. Detta leder till förvirring för användare på grund av bristen av en central tillitspunkt eller auktoritet. Detta arbete beskriver ett protokoll för decentralizerad koordinering och validering av paketreproducerbarhet baserat på hemliga röster för att begränsa otillåtet samarbete och ett belöningssystem för att motivera önskat samarbete. Protokollet använder blockkedjan Hyperledger Fabric som grund, med fördelarna av att få hög tillgänglighet, resultatsriktighet och spårbara beslut. En formel specifikation skrevs i TLA+ för att testa protokollet och validerades med modeltestning. Testresultatet för de testade nätverkskonfigurationerna visade att protokollet genererar valida resultat och garanterar samarbete mellan användare. De nästa stegen i projektet skulle vara att bygga en funktionell prototyp av systemet för att testa dess prestanda såväl som att studera de antaganden protokollet är designat runt.

Page generated in 0.0484 seconds