Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SBOMを利用したソフトウェアサプライチェーンの保護

 SBOMを利用したソフトウェアサプライチェーンの保護

Masahiro331

August 05, 2022
Tweet

More Decks by Masahiro331

Other Decks in Technology

Transcript

  1. Masahiro Fujimura (@masahiro331), 20 August 2022
    Supply Chain Security with SBOM
    CloudNative Security Conference 2022

    View full-size slide

  2. ຊ೔ͷྲྀΕ
    • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲


    • Supply Chain Security ͱ͸ʁ


    • SBOMͱ͸ʁ


    • SBOMͷੜ੒ͱ੬ऑੑݕ஌ʹ͍ͭͯ


    • SBOM๊͕͑Δ՝୊

    View full-size slide

  3. ࠓ೔࿩͞ͳ͍͜ͱ
    • SBOMͷৄࡉͳ࢓༷ͷղઆ


    • SBOMͷ੬ऑੑݕ஌ͷৄࡉ

    View full-size slide

  4. ࣗݾ঺հ
    • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ


    • ॴଐ: OWASP CycloneDX project (Volunteer)


    • झຯ:


    • ϑΝΠϧγεςϜͷύʔα։ൃ


    • ԿΛ͍ͯ͠Δਓͳͷ͔


    • TrivyʹSBOMͷੜ੒ͱ੬ऑੑݕ஌Λ࣮૷

    View full-size slide

  5. ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲
    ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲

    View full-size slide

  6. ࡢࠓͷ߈ܸͷಈ޲
    • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑ఺Λѱ༻ͨ͠߈ܸ͕໰୊ʹͳ͍ͬͯΔ


    • IPA ͕ग़͍ͯ͠Δ৘ใηΩϡϦςΟͷ10େڴҖʹ΋ϥϯΫΠϯ͍ͯ͠Δ

    View full-size slide

  7. ࡢࠓͷ߈ܸͷಈ޲
    • Sonatype͔Β΋Ϩϙʔτ͕ग़͍ͯΔ


    • 2020೥ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ

    View full-size slide

  8. Supply Chain Security ͱ͸ʁ

    View full-size slide

  9. Supply Chain ͱ͸
    • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ


    ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ

    View full-size slide

  10. Supply Chain ͱ͸
    • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ


    ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ
    Engineer Source Code
    Vendor OSS
    Artifact Production Server
    Server / Network Machine

    View full-size slide

  11. Supply Chain Security ͱ͸
    Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ


    • औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ

    λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍
    ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ


    • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ΁ͷରࡦ

    ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢
    ΣΞ΍ͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ

    View full-size slide

  12. Supply Chain Security ͱ͸
    Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ


    • औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ

    λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍
    ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ


    • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ

    ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢
    ΣΞ΍ιϑτ΢ΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
    ࠓ೔ͷൣғ
    ͜Ε͸*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠

    View full-size slide

  13. Supply Chain Security
    Engineer SCM (e.g. GitHub)
    Source Code
    Build Server Production Server
    Artifact
    OSS

    View full-size slide

  14. Supply Chain Security
    Engineer SCM (e.g. GitHub)
    Source Code
    Build Server Production Server
    OSS Artifact
    ѱҙ͋ΔΤϯδχΞͷՄೳੑ
    ϦϙδτϦ্ͷιʔείʔυ͕


    վ͟Μ͞ΕΔՄೳੑ
    Build Server ͕


    ৐ͬऔΒΕ͍ͯΔՄೳੑ
    ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕


    ଘࡏ͢ΔՄೳੑ
    ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ
    ґଘ͍ͯ͠Διʔείʔυ͕


    ੬ऑͳՄೳੑ
    ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕


    վ͟Μ͞ΕΔՄೳੑ

    View full-size slide

  15. Supply Chain Security
    Engineer SCM (e.g. GitHub)
    Source Code
    Build Server Production Server
    ѱҙ͋ΔΤϯδχΞͷՄೳੑ
    ϦϙδτϦ্ͷιʔείʔυ͕
    վ͟Μ͞ΕΔՄೳੑ
    #VJME4FSWFS͕
    ৐ͬऔΒΕ͍ͯΔՄೳੑ
    ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕
    ଘࡏ͢ΔՄೳੑ
    ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ
    Artifact
    ࠓ೔ͷൣғ
    ґଘ͍ͯ͠Διʔείʔυ͕
    ੬ऑͳՄೳੑ
    ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕
    վ͟Μ͞ΕΔՄೳੑ
    OSS

    View full-size slide

  16. OSS ʹର͢Δ߈ܸͷࣄྫ
    • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ


    • Өڹ͢Δ৔߹͸ɺαʔόͰ೚ҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ…
    Spring4Shell (Java)
    Event-Stream (Node.js)
    • 200ສμ΢ϯϩʔυΛ௒͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ


    • ҉߸௨՟΢ΥϨοτΛ౪΋͏ͱ͢Δίʔυ͕஫ೖ͞Ε͍ͯͨ

    View full-size slide

  17. OSS ʹର͢Δ߈ܸ
    ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠
    Software A
    Spring
    Framework
    Software b
    Software c
    Software e
    Log4j
    ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ
    Software B
    ௚઀ґଘ ਪҠతґଘ

    View full-size slide

  18. OSS ʹର͢Δ߈ܸ
    ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠
    Software A
    Spring
    Framework
    Software b
    Software c
    Software e
    Log4j
    ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ
    Software B
    ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸


    Ͳ͏͢Ε͹͍͍ͷ͔...
    ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸


    Ͳ͏͢Ε͹͍͍ͷ͔...

    View full-size slide

  19. OSS ʹର͢Δ߈ܸ
    ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠
    Software A
    Spring
    Framework
    Software b
    Software c
    Software e
    Log4j
    ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ
    Software B
    SBOMͰղܾ͠·͠ΐ͏
    SBOMͰղܾ͠·͠ΐ͏

    View full-size slide

  20. SBOMͱ͸
    • ιϑτ΢ΣΞͷߏ੒ཁૉΛ෦඼දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ੒͞Εͯ
    ͍Δ͔Λࣔ֓͢೦
    • SBOMͷ࢓༷͸4ͭ΄Ͳଘࡏ͢Δ
    • CycloneDX


    • SPDX (Software Package Data Exchange)


    • GitHub SBOM


    • SWID (Software Identification tags)
    OWASP


    Linux Foundation


    GitHub


    ஌Βͳ͍…

    View full-size slide

  21. SBOMʹ͍ͭͯ
    • ιϑτ΢ΣΞͷߏ੒΍ґଘؔ܎Λڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ

    View full-size slide

  22. ԿͷͨΊʹSBOMΛ࢖͏ͷ͔
    • SBOMΛೖྗͱͯ͠੬ऑੑͷݕ஌ͳͲ͕Մೳ
    ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ
    CycloneDX
    SPDX
    SBOM ϑΥʔϚοτ SCAπʔϧͳͲ

    View full-size slide

  23. ͦͷଞͷ༻్
    • ։ൃϕϯμʔ΍੡඼ϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։


    • ιϑτ΢ΣΞɾϥΠηϯεͷ؅ཧ
    Vendor A
    Vendor B
    Vendor C
    Engineer
    ੡඼AͷSBOM ιϑτ΢ΣΞBͷSBOM
    ੡඼CͷSBOM

    View full-size slide

  24. ੈͷதͷಈ޲
    • ถࠃͰ͸ɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠͸SBOMͷ࡞੒Λཁ݅Խ͍ͯ͠Δ


    • ೔ຊͰ΋ɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ
    αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ
    ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ

    View full-size slide

  25. SBOMͷੜ੒
    ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ
    ΊͬͪΌ؆୯

    View full-size slide

  26. σϞͷղઆ
    ղੳ
    CycloneDX
    ग़ྗ
    • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ
    Container

    View full-size slide

  27. σϞͷղઆ
    ղੳ ग़ྗ
    • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ
    Container
    OS OS Package
    Application
    Application
    Library
    Application
    Application
    Library
    Container

    View full-size slide

  28. ิ଍
    • CycloneDXͷSBOMͰ͸ɺ෦඼ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ


    • ਖ਼௚ந৅౓͕ߴͯ͘ɺ࣮૷ͨ͠΋ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍

    View full-size slide

  29. SBOMΛ༻͍ͨ੬ऑੑݕ஌
    ࡞੒ͨ͠SBOMΛར׆༻ͯ͠ΈΔ
    ΊͬͪΌ؆୯

    View full-size slide

  30. σϞͷղઆ
    Container
    OS OS Package
    Application
    Application
    Library
    Application
    Application
    Library
    CycloneDX
    ੬ऑੑݕ஌ ग़ྗ $7&9999
    $7&9999
    $7&9999
    • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ஌

    View full-size slide

  31. ͍··Ͱ
    ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ੬ऑੑݕ஌

    View full-size slide

  32. ͜Ε͔Β
    ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ར׆༻ʢྫ͑͹੬ऑੑݕ஌ʣ
    ଞͷ׆༻ํ๏΋ߟ͑ΒΕΔ
    CycloneDX
    SPDX
    SBOM ϑΥʔϚοτ

    View full-size slide

  33. SBOMͰશͯͷιϑτ΢ΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!

    View full-size slide

  34. ͱ͸ͳΒͳ͍…

    View full-size slide

  35. ࣮ࡍʹ SBOM Λੜ੒ɺݕ஌͢ΔπʔϧΛ
    ։ൃ͢Δͱɺଟ਺ͷ՝୊Λݟ͚ͭΔ


    (CycloneDXͷࣄྫΛ঺հ)

    View full-size slide

  36. 1. શͯͷґଘؔ܎ΛՄࢹԽͰ͖ΔΘ͚Ͱ͸ͳ͍
    • ίϯςφΛղੳ͢ΔTrivy΍GrypeͳͲͷπʔϧͰ͸ make ͳͲͰϏϧυ͞Εͨ
    ύοέʔδΛՄࢹԽ͢Δ͜ͱ͸Ͱ͖ͳ͍
    ΋ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱ΋Ͱ͖ͳ͍

    View full-size slide

  37. 2. ʮඪ४ϑΥʔϚοτʯޓ׵ੑ͕͋Δͱ͸ݴͬͯͳ͍
    • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓ׵ੑ͕ͳ͍
    Grype CycloneDX Trivy CycloneDX
    ΋ͪΖΜ͓ޓ͍ͷSBOMͰ͸ਖ਼͘͠ݕ஌Ͱ͖ͳ͍

    View full-size slide

  38. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ
    • ͦ΋ͦ΋ґଘؔ܎ͱ͸ʁ


    • ελςΟοΫϦϯΫ


    • GoͷΑ͏ͳ୯ҰͷBinary


    • JavaͩͱJarͷதʹJar͕ೖΔґଘؔ܎΋ଘࡏ


    • μΠφϛοΫϦϯΫ


    • ϓϩηεؒ௨৴΍HTTPͳͲͷ௨৴ʹΑΔґଘ
    SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ

    View full-size slide

  39. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ
    SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ
    Component͕ωετ͢Δґଘؔ܎ DependencyʹΑΔґଘؔ܎

    View full-size slide

  40. 4. ࢓༷͕े෼Ͱ͸ͳ͍͜ͱ΋͋Δ
    • SBOM͸੬ऑੑΛݕ஌͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍


    • ݱঢ়ͷ֤छSBOMͷ࢓༷Ͱ͸ਖ਼͘͠੬ऑੑݕ஌Ͱ͖ͳ͍
    SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ
    SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ
    දݱ͚ͩͰ͸଍Γͳ͍

    View full-size slide

  41. ·ͱΊ
    • ύοέʔδߏ੒ϑΝΠϧ΍Docker Image͔Β؆୯ʹSBOM͕ੜ੒Ͱ͖Δ


    • ੜ੒ͨ͠SBOM͔Β੬ऑੑݕ஌͕Մೳ


    • SBOM͸ࠓ͸·࣮ͩݧஈ֊Ͱ՝୊΋ଟ͘ݟΒΕΔ


    • ੜ੒͢Δπʔϧͷ࢓༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ


    • ੜ੒πʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ


    • ֤੡඼ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠


    • SBOMΛར׆༻͢Δπʔϧ͸·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ

    View full-size slide

  42. ༨ஊ
    • SBOMͷະདྷͷ࿩

    View full-size slide

  43. SBOMͷະདྷͷ࿩
    Digital Identity Attestation


    • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏
    ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻൑அͰ͖ΔΑ͏ʹ͢Δ͜ͱ


    Software Attestation


    • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ
    σʔλΛϞσϧԽͨ͠΋ͷɻ


    Software Attestation ͸ Digital Identity Attestation ͷҰछ

    View full-size slide

  44. Software Attestationͱ͸
    • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ
    ϝλσʔλΛϞσϧԽͨ͠΋ͷɻ

    View full-size slide

  45. ιϑτ΢ΣΞʹର͢Δॺ໊
    • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ
    ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ
    %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ
    SBOM
    Docker Image
    Maintainer

    View full-size slide

  46. ιϑτ΢ΣΞʹର͢Δॺ໊
    • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ
    ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ
    %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ
    SBOM
    Docker Image
    Maintainer

    View full-size slide

  47. Thank you for attention

    View full-size slide

  48. ͪͳΈʹ SBOMͷ࢓༷ʹߩݙͨ͠Γͨ͠
    8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ
    • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ࢓༷ʹߩݙ

    View full-size slide