SBOMを利用したソフトウェアサプライチェーンの保護

Transcript

1. Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with

   SBOM CloudNative Security Conference 2022

2. ຊ೔ͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲ • Supply Chain Security ͱ͸ʁ • SBOMͱ͸ʁ

   • SBOMͷੜ੒ͱ੬ऑੑݕ஌ʹ͍ͭͯ • SBOM๊͕͑Δ՝୊

3. ࠓ೔࿩͞ͳ͍͜ͱ • SBOMͷৄࡉͳ࢓༷ͷղઆ • SBOMͷ੬ऑੑݕ஌ͷৄࡉ

4. ࣗݾ঺հ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project

   (Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜ੒ͱ੬ऑੑݕ஌Λ࣮૷

5. ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲

6. ࡢࠓͷ߈ܸͷಈ޲ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑ఺Λѱ༻ͨ͠߈ܸ͕໰୊ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠Δ৘ใηΩϡϦςΟͷ10େڴҖʹ΋ϥϯΫΠϯ͍ͯ͠Δ

7. ࡢࠓͷ߈ܸͷಈ޲ • Sonatype͔Β΋Ϩϙʔτ͕ग़͍ͯΔ • 2020೥ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ

8. Supply Chain Security ͱ͸ʁ

9. Supply Chain ͱ͸ • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ

10. Supply Chain ͱ͸ • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor

    OSS Artifact Production Server Server / Network Machine

11. Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •

    औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ 
 λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ΁ͷରࡦ 
 ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ

12. Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •

    औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ 
 λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ 
 ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ιϑτ΢ΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓ೔ͷൣғ ͜Ε͸*TMBOE
    )PQQJOH
    "UUBDLͱ͔ݴΘΕΔΒ͍͠

13. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server Artifact OSS

14. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕ վ͟Μ͞ΕΔՄೳੑ

15. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕
    վ͟Μ͞ΕΔՄೳੑ #VJME
    4FSWFS
    ͕
    ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕
    ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ Artifact ࠓ೔ͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕
    ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕
    վ͟Μ͞ΕΔՄೳੑ OSS

16. OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ৔߹͸ɺαʔόͰ೚ҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell

    (Java) Event-Stream (Node.js) • 200ສμ΢ϯϩʔυΛ௒͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟΢ΥϨοτΛ౪΋͏ͱ͢Δίʔυ͕஫ೖ͞Ε͍ͯͨ

17. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ௚઀ґଘ ਪҠతґଘ

18. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔...

19. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏

20. SBOMͱ͸ʁ

21. SBOMͱ͸ • ιϑτ΢ΣΞͷߏ੒ཁૉΛ෦඼දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ੒͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ࢓༷͸4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX

    (Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub ஌Βͳ͍…

22. SBOMʹ͍ͭͯ • ιϑτ΢ΣΞͷߏ੒΍ґଘؔ܎Λڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ

23. ԿͷͨΊʹSBOMΛ࢖͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕ஌ͳͲ͕Մೳ ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ

24. ͦͷଞͷ༻్ • ։ൃϕϯμʔ΍੡඼ϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτ΢ΣΞɾϥΠηϯεͷ؅ཧ Vendor A Vendor B Vendor

    C Engineer ੡඼AͷSBOM ιϑτ΢ΣΞBͷSBOM ੡඼CͷSBOM

25. ੈͷதͷಈ޲ • ถࠃͰ͸ɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠͸SBOMͷ࡞੒Λཁ݅Խ͍ͯ͠Δ • ೔ຊͰ΋ɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ

26. σϞ

27. SBOMͷੜ੒ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯

28. σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ Container

29. σϞͷղઆ ղੳ ग़ྗ • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application

    Application Library Application Application Library Container

30. ิ଍ • CycloneDXͷSBOMͰ͸ɺ෦඼ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼௚ந৅౓͕ߴͯ͘ɺ࣮૷ͨ͠΋ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍

31. SBOMΛ༻͍ͨ੬ऑੑݕ஌ ࡞੒ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯

32. σϞͷղઆ Container OS OS Package Application Application Library Application Application

    Library CycloneDX ੬ऑੑݕ஌ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ஌

33. ͍··Ͱ ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ੬ऑੑݕ஌

34. ͜Ε͔Β ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ར׆༻ʢྫ͑͹੬ऑੑݕ஌ʣ ଞͷ׆༻ํ๏΋ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ

35. SBOMͰશͯͷιϑτ΢ΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!

36. ͱ͸ͳΒͳ͍…

37. ࣮ࡍʹ SBOM Λੜ੒ɺݕ஌͢ΔπʔϧΛ ։ൃ͢Δͱɺଟ਺ͷ՝୊Λݟ͚ͭΔ (CycloneDXͷࣄྫΛ঺հ)

38. 1. શͯͷґଘؔ܎ΛՄࢹԽͰ͖ΔΘ͚Ͱ͸ͳ͍ • ίϯςφΛղੳ͢ΔTrivy΍GrypeͳͲͷπʔϧͰ͸ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱ͸Ͱ͖ͳ͍ ΋ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱ΋Ͱ͖ͳ͍

39. 2. ʮඪ४ϑΥʔϚοτʯޓ׵ੑ͕͋Δͱ͸ݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓ׵ੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ΋ͪΖΜ͓ޓ͍ͷSBOMͰ͸ਖ਼͘͠ݕ஌Ͱ͖ͳ͍

40. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ • ͦ΋ͦ΋ґଘؔ܎ͱ͸ʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔ܎΋ଘࡏ

    • μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴΍HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ

41. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ܎ DependencyʹΑΔґଘؔ܎

42. 4. ࢓༷͕े෼Ͱ͸ͳ͍͜ͱ΋͋Δ • SBOM͸੬ऑੑΛݕ஌͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ࢓༷Ͱ͸ਖ਼͘͠੬ऑੑݕ஌Ͱ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰ͸଍Γͳ͍

43. ·ͱΊ • ύοέʔδߏ੒ϑΝΠϧ΍Docker Image͔Β؆୯ʹSBOM͕ੜ੒Ͱ͖Δ • ੜ੒ͨ͠SBOM͔Β੬ऑੑݕ஌͕Մೳ • SBOM͸ࠓ͸·࣮ͩݧஈ֊Ͱ՝୊΋ଟ͘ݟΒΕΔ • ੜ੒͢Δπʔϧͷ࢓༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ

    • ੜ੒πʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤੡඼ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ͸·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ

44. ༨ஊ • SBOMͷະདྷͷ࿩

45. SBOMͷະདྷͷ࿩ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻൑அͰ͖ΔΑ͏ʹ͢Δ͜ͱ

    Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠΋ͷɻ Software Attestation ͸ Digital Identity Attestation ͷҰछ

46. Software Attestationͱ͸ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠΋ͷɻ

47. ιϑτ΢ΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ %PDLFS
    3FHJTUPSZʢ0$*
    3FHJTUSZʣ SBOM Docker Image Maintainer

48. ιϑτ΢ΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ %PDLFS
    3FHJTUPSZʢ0$*
    3FHJTUSZʣ SBOM Docker Image Maintainer

49. Thank you for attention

50. ͪͳΈʹ SBOMͷ࢓༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ࢓༷ʹߩݙ