Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SBOMを利用したソフトウェアサプライチェーンの保護

Masahiro331
August 05, 2022

 SBOMを利用したソフトウェアサプライチェーンの保護

Masahiro331

August 05, 2022
Tweet

More Decks by Masahiro331

Other Decks in Technology

Transcript

  1. Masahiro Fujimura (@masahiro331), 20 August 2022
    Supply Chain Security with SBOM
    CloudNative Security Conference 2022

    View Slide

  2. ຊ೔ͷྲྀΕ
    • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲


    • Supply Chain Security ͱ͸ʁ


    • SBOMͱ͸ʁ


    • SBOMͷੜ੒ͱ੬ऑੑݕ஌ʹ͍ͭͯ


    • SBOM๊͕͑Δ՝୊

    View Slide

  3. ࠓ೔࿩͞ͳ͍͜ͱ
    • SBOMͷৄࡉͳ࢓༷ͷղઆ


    • SBOMͷ੬ऑੑݕ஌ͷৄࡉ

    View Slide

  4. ࣗݾ঺հ
    • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ


    • ॴଐ: OWASP CycloneDX project (Volunteer)


    • झຯ:


    • ϑΝΠϧγεςϜͷύʔα։ൃ


    • ԿΛ͍ͯ͠Δਓͳͷ͔


    • TrivyʹSBOMͷੜ੒ͱ੬ऑੑݕ஌Λ࣮૷

    View Slide

  5. ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲
    ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲

    View Slide

  6. ࡢࠓͷ߈ܸͷಈ޲
    • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑ఺Λѱ༻ͨ͠߈ܸ͕໰୊ʹͳ͍ͬͯΔ


    • IPA ͕ग़͍ͯ͠Δ৘ใηΩϡϦςΟͷ10େڴҖʹ΋ϥϯΫΠϯ͍ͯ͠Δ

    View Slide

  7. ࡢࠓͷ߈ܸͷಈ޲
    • Sonatype͔Β΋Ϩϙʔτ͕ग़͍ͯΔ


    • 2020೥ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ

    View Slide

  8. Supply Chain Security ͱ͸ʁ

    View Slide

  9. Supply Chain ͱ͸
    • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ


    ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ

    View Slide

  10. Supply Chain ͱ͸
    • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ


    ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ
    Engineer Source Code
    Vendor OSS
    Artifact Production Server
    Server / Network Machine

    View Slide

  11. Supply Chain Security ͱ͸
    Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ


    • औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ

    λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍
    ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ


    • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ΁ͷରࡦ

    ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢
    ΣΞ΍ͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ

    View Slide

  12. Supply Chain Security ͱ͸
    Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ


    • औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ

    λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍
    ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ


    • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ

    ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢
    ΣΞ΍ιϑτ΢ΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
    ࠓ೔ͷൣғ
    ͜Ε͸*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠

    View Slide

  13. Supply Chain Security
    Engineer SCM (e.g. GitHub)
    Source Code
    Build Server Production Server
    Artifact
    OSS

    View Slide

  14. Supply Chain Security
    Engineer SCM (e.g. GitHub)
    Source Code
    Build Server Production Server
    OSS Artifact
    ѱҙ͋ΔΤϯδχΞͷՄೳੑ
    ϦϙδτϦ্ͷιʔείʔυ͕


    վ͟Μ͞ΕΔՄೳੑ
    Build Server ͕


    ৐ͬऔΒΕ͍ͯΔՄೳੑ
    ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕


    ଘࡏ͢ΔՄೳੑ
    ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ
    ґଘ͍ͯ͠Διʔείʔυ͕


    ੬ऑͳՄೳੑ
    ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕


    վ͟Μ͞ΕΔՄೳੑ

    View Slide

  15. Supply Chain Security
    Engineer SCM (e.g. GitHub)
    Source Code
    Build Server Production Server
    ѱҙ͋ΔΤϯδχΞͷՄೳੑ
    ϦϙδτϦ্ͷιʔείʔυ͕
    վ͟Μ͞ΕΔՄೳੑ
    #VJME4FSWFS͕
    ৐ͬऔΒΕ͍ͯΔՄೳੑ
    ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕
    ଘࡏ͢ΔՄೳੑ
    ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ
    Artifact
    ࠓ೔ͷൣғ
    ґଘ͍ͯ͠Διʔείʔυ͕
    ੬ऑͳՄೳੑ
    ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕
    վ͟Μ͞ΕΔՄೳੑ
    OSS

    View Slide

  16. OSS ʹର͢Δ߈ܸͷࣄྫ
    • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ


    • Өڹ͢Δ৔߹͸ɺαʔόͰ೚ҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ…
    Spring4Shell (Java)
    Event-Stream (Node.js)
    • 200ສμ΢ϯϩʔυΛ௒͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ


    • ҉߸௨՟΢ΥϨοτΛ౪΋͏ͱ͢Δίʔυ͕஫ೖ͞Ε͍ͯͨ

    View Slide

  17. OSS ʹର͢Δ߈ܸ
    ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠
    Software A
    Spring
    Framework
    Software b
    Software c
    Software e
    Log4j
    ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ
    Software B
    ௚઀ґଘ ਪҠతґଘ

    View Slide

  18. OSS ʹର͢Δ߈ܸ
    ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠
    Software A
    Spring
    Framework
    Software b
    Software c
    Software e
    Log4j
    ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ
    Software B
    ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸


    Ͳ͏͢Ε͹͍͍ͷ͔...
    ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸


    Ͳ͏͢Ε͹͍͍ͷ͔...

    View Slide

  19. OSS ʹର͢Δ߈ܸ
    ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠
    Software A
    Spring
    Framework
    Software b
    Software c
    Software e
    Log4j
    ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ
    Software B
    SBOMͰղܾ͠·͠ΐ͏
    SBOMͰղܾ͠·͠ΐ͏

    View Slide

  20. SBOMͱ͸ʁ

    View Slide

  21. SBOMͱ͸
    • ιϑτ΢ΣΞͷߏ੒ཁૉΛ෦඼දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ੒͞Εͯ
    ͍Δ͔Λࣔ֓͢೦
    • SBOMͷ࢓༷͸4ͭ΄Ͳଘࡏ͢Δ
    • CycloneDX


    • SPDX (Software Package Data Exchange)


    • GitHub SBOM


    • SWID (Software Identification tags)
    OWASP


    Linux Foundation


    GitHub


    ஌Βͳ͍…

    View Slide

  22. SBOMʹ͍ͭͯ
    • ιϑτ΢ΣΞͷߏ੒΍ґଘؔ܎Λڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ

    View Slide

  23. ԿͷͨΊʹSBOMΛ࢖͏ͷ͔
    • SBOMΛೖྗͱͯ͠੬ऑੑͷݕ஌ͳͲ͕Մೳ
    ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ
    CycloneDX
    SPDX
    SBOM ϑΥʔϚοτ SCAπʔϧͳͲ

    View Slide

  24. ͦͷଞͷ༻్
    • ։ൃϕϯμʔ΍੡඼ϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։


    • ιϑτ΢ΣΞɾϥΠηϯεͷ؅ཧ
    Vendor A
    Vendor B
    Vendor C
    Engineer
    ੡඼AͷSBOM ιϑτ΢ΣΞBͷSBOM
    ੡඼CͷSBOM

    View Slide

  25. ੈͷதͷಈ޲
    • ถࠃͰ͸ɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠͸SBOMͷ࡞੒Λཁ݅Խ͍ͯ͠Δ


    • ೔ຊͰ΋ɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ
    αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ
    ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ

    View Slide

  26. σϞ

    View Slide

  27. SBOMͷੜ੒
    ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ
    ΊͬͪΌ؆୯

    View Slide

  28. σϞͷղઆ
    ղੳ
    CycloneDX
    ग़ྗ
    • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ
    Container

    View Slide

  29. σϞͷղઆ
    ղੳ ग़ྗ
    • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ
    Container
    OS OS Package
    Application
    Application
    Library
    Application
    Application
    Library
    Container

    View Slide

  30. ิ଍
    • CycloneDXͷSBOMͰ͸ɺ෦඼ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ


    • ਖ਼௚ந৅౓͕ߴͯ͘ɺ࣮૷ͨ͠΋ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍

    View Slide

  31. SBOMΛ༻͍ͨ੬ऑੑݕ஌
    ࡞੒ͨ͠SBOMΛར׆༻ͯ͠ΈΔ
    ΊͬͪΌ؆୯

    View Slide

  32. σϞͷղઆ
    Container
    OS OS Package
    Application
    Application
    Library
    Application
    Application
    Library
    CycloneDX
    ੬ऑੑݕ஌ ग़ྗ $7&9999
    $7&9999
    $7&9999
    • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ஌

    View Slide

  33. ͍··Ͱ
    ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ੬ऑੑݕ஌

    View Slide

  34. ͜Ε͔Β
    ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ར׆༻ʢྫ͑͹੬ऑੑݕ஌ʣ
    ଞͷ׆༻ํ๏΋ߟ͑ΒΕΔ
    CycloneDX
    SPDX
    SBOM ϑΥʔϚοτ

    View Slide

  35. SBOMͰશͯͷιϑτ΢ΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!

    View Slide

  36. ͱ͸ͳΒͳ͍…

    View Slide

  37. ࣮ࡍʹ SBOM Λੜ੒ɺݕ஌͢ΔπʔϧΛ
    ։ൃ͢Δͱɺଟ਺ͷ՝୊Λݟ͚ͭΔ


    (CycloneDXͷࣄྫΛ঺հ)

    View Slide

  38. 1. શͯͷґଘؔ܎ΛՄࢹԽͰ͖ΔΘ͚Ͱ͸ͳ͍
    • ίϯςφΛղੳ͢ΔTrivy΍GrypeͳͲͷπʔϧͰ͸ make ͳͲͰϏϧυ͞Εͨ
    ύοέʔδΛՄࢹԽ͢Δ͜ͱ͸Ͱ͖ͳ͍
    ΋ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱ΋Ͱ͖ͳ͍

    View Slide

  39. 2. ʮඪ४ϑΥʔϚοτʯޓ׵ੑ͕͋Δͱ͸ݴͬͯͳ͍
    • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓ׵ੑ͕ͳ͍
    Grype CycloneDX Trivy CycloneDX
    ΋ͪΖΜ͓ޓ͍ͷSBOMͰ͸ਖ਼͘͠ݕ஌Ͱ͖ͳ͍

    View Slide

  40. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ
    • ͦ΋ͦ΋ґଘؔ܎ͱ͸ʁ


    • ελςΟοΫϦϯΫ


    • GoͷΑ͏ͳ୯ҰͷBinary


    • JavaͩͱJarͷதʹJar͕ೖΔґଘؔ܎΋ଘࡏ


    • μΠφϛοΫϦϯΫ


    • ϓϩηεؒ௨৴΍HTTPͳͲͷ௨৴ʹΑΔґଘ
    SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ

    View Slide

  41. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ
    SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ
    Component͕ωετ͢Δґଘؔ܎ DependencyʹΑΔґଘؔ܎

    View Slide

  42. 4. ࢓༷͕े෼Ͱ͸ͳ͍͜ͱ΋͋Δ
    • SBOM͸੬ऑੑΛݕ஌͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍


    • ݱঢ়ͷ֤छSBOMͷ࢓༷Ͱ͸ਖ਼͘͠੬ऑੑݕ஌Ͱ͖ͳ͍
    SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ
    SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ
    දݱ͚ͩͰ͸଍Γͳ͍

    View Slide

  43. ·ͱΊ
    • ύοέʔδߏ੒ϑΝΠϧ΍Docker Image͔Β؆୯ʹSBOM͕ੜ੒Ͱ͖Δ


    • ੜ੒ͨ͠SBOM͔Β੬ऑੑݕ஌͕Մೳ


    • SBOM͸ࠓ͸·࣮ͩݧஈ֊Ͱ՝୊΋ଟ͘ݟΒΕΔ


    • ੜ੒͢Δπʔϧͷ࢓༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ


    • ੜ੒πʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ


    • ֤੡඼ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠


    • SBOMΛར׆༻͢Δπʔϧ͸·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ

    View Slide

  44. ༨ஊ
    • SBOMͷະདྷͷ࿩

    View Slide

  45. SBOMͷະདྷͷ࿩
    Digital Identity Attestation


    • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏
    ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻൑அͰ͖ΔΑ͏ʹ͢Δ͜ͱ


    Software Attestation


    • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ
    σʔλΛϞσϧԽͨ͠΋ͷɻ


    Software Attestation ͸ Digital Identity Attestation ͷҰछ

    View Slide

  46. Software Attestationͱ͸
    • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ
    ϝλσʔλΛϞσϧԽͨ͠΋ͷɻ

    View Slide

  47. ιϑτ΢ΣΞʹର͢Δॺ໊
    • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ
    ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ
    %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ
    SBOM
    Docker Image
    Maintainer

    View Slide

  48. ιϑτ΢ΣΞʹର͢Δॺ໊
    • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ
    ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ
    %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ
    SBOM
    Docker Image
    Maintainer

    View Slide

  49. Thank you for attention

    View Slide

  50. ͪͳΈʹ SBOMͷ࢓༷ʹߩݙͨ͠Γͨ͠
    8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ
    • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ࢓༷ʹߩݙ

    View Slide