Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SBOMを利用したソフトウェアサプライチェーンの保護

 SBOMを利用したソフトウェアサプライチェーンの保護

45b7a05a1056c10d70bc4caa77d1b2c9?s=128

Masahiro331

August 05, 2022
Tweet

More Decks by Masahiro331

Other Decks in Technology

Transcript

  1. Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with

    SBOM CloudNative Security Conference 2022
  2. ຊ೔ͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲ • Supply Chain Security ͱ͸ʁ • SBOMͱ͸ʁ

    • SBOMͷੜ੒ͱ੬ऑੑݕ஌ʹ͍ͭͯ • SBOM๊͕͑Δ՝୊
  3. ࠓ೔࿩͞ͳ͍͜ͱ • SBOMͷৄࡉͳ࢓༷ͷղઆ • SBOMͷ੬ऑੑݕ஌ͷৄࡉ

  4. ࣗݾ঺հ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project

    (Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜ੒ͱ੬ऑੑݕ஌Λ࣮૷
  5. ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲

  6. ࡢࠓͷ߈ܸͷಈ޲ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑ఺Λѱ༻ͨ͠߈ܸ͕໰୊ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠Δ৘ใηΩϡϦςΟͷ10େڴҖʹ΋ϥϯΫΠϯ͍ͯ͠Δ

  7. ࡢࠓͷ߈ܸͷಈ޲ • Sonatype͔Β΋Ϩϙʔτ͕ग़͍ͯΔ • 2020೥ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ

  8. Supply Chain Security ͱ͸ʁ

  9. Supply Chain ͱ͸ • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ

  10. Supply Chain ͱ͸ • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor

    OSS Artifact Production Server Server / Network Machine
  11. Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •

    औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ 
 λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ΁ͷରࡦ 
 ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
  12. Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •

    औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ 
 λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ 
 ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ιϑτ΢ΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓ೔ͷൣғ ͜Ε͸*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠
  13. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server Artifact OSS
  14. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕ վ͟Μ͞ΕΔՄೳੑ
  15. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ Artifact ࠓ೔ͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS
  16. OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ৔߹͸ɺαʔόͰ೚ҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell

    (Java) Event-Stream (Node.js) • 200ສμ΢ϯϩʔυΛ௒͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟΢ΥϨοτΛ౪΋͏ͱ͢Δίʔυ͕஫ೖ͞Ε͍ͯͨ
  17. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ௚઀ґଘ ਪҠతґଘ
  18. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔...
  19. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏
  20. SBOMͱ͸ʁ

  21. SBOMͱ͸ • ιϑτ΢ΣΞͷߏ੒ཁૉΛ෦඼දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ੒͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ࢓༷͸4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX

    (Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub ஌Βͳ͍…
  22. SBOMʹ͍ͭͯ • ιϑτ΢ΣΞͷߏ੒΍ґଘؔ܎Λڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ

  23. ԿͷͨΊʹSBOMΛ࢖͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕ஌ͳͲ͕Մೳ ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ

  24. ͦͷଞͷ༻్ • ։ൃϕϯμʔ΍੡඼ϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτ΢ΣΞɾϥΠηϯεͷ؅ཧ Vendor A Vendor B Vendor

    C Engineer ੡඼AͷSBOM ιϑτ΢ΣΞBͷSBOM ੡඼CͷSBOM
  25. ੈͷதͷಈ޲ • ถࠃͰ͸ɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠͸SBOMͷ࡞੒Λཁ݅Խ͍ͯ͠Δ • ೔ຊͰ΋ɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ

  26. σϞ

  27. SBOMͷੜ੒ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯

  28. σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ Container

  29. σϞͷղઆ ղੳ ग़ྗ • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application

    Application Library Application Application Library Container
  30. ิ଍ • CycloneDXͷSBOMͰ͸ɺ෦඼ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼௚ந৅౓͕ߴͯ͘ɺ࣮૷ͨ͠΋ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍

  31. SBOMΛ༻͍ͨ੬ऑੑݕ஌ ࡞੒ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯

  32. σϞͷղઆ Container OS OS Package Application Application Library Application Application

    Library CycloneDX ੬ऑੑݕ஌ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ஌
  33. ͍··Ͱ ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ੬ऑੑݕ஌

  34. ͜Ε͔Β ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ར׆༻ʢྫ͑͹੬ऑੑݕ஌ʣ ଞͷ׆༻ํ๏΋ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ

  35. SBOMͰશͯͷιϑτ΢ΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!

  36. ͱ͸ͳΒͳ͍…

  37. ࣮ࡍʹ SBOM Λੜ੒ɺݕ஌͢ΔπʔϧΛ ։ൃ͢Δͱɺଟ਺ͷ՝୊Λݟ͚ͭΔ (CycloneDXͷࣄྫΛ঺հ)

  38. 1. શͯͷґଘؔ܎ΛՄࢹԽͰ͖ΔΘ͚Ͱ͸ͳ͍ • ίϯςφΛղੳ͢ΔTrivy΍GrypeͳͲͷπʔϧͰ͸ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱ͸Ͱ͖ͳ͍ ΋ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱ΋Ͱ͖ͳ͍

  39. 2. ʮඪ४ϑΥʔϚοτʯޓ׵ੑ͕͋Δͱ͸ݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓ׵ੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ΋ͪΖΜ͓ޓ͍ͷSBOMͰ͸ਖ਼͘͠ݕ஌Ͱ͖ͳ͍

  40. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ • ͦ΋ͦ΋ґଘؔ܎ͱ͸ʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔ܎΋ଘࡏ

    • μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴΍HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ
  41. 3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ܎ DependencyʹΑΔґଘؔ܎

  42. 4. ࢓༷͕े෼Ͱ͸ͳ͍͜ͱ΋͋Δ • SBOM͸੬ऑੑΛݕ஌͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ࢓༷Ͱ͸ਖ਼͘͠੬ऑੑݕ஌Ͱ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰ͸଍Γͳ͍

  43. ·ͱΊ • ύοέʔδߏ੒ϑΝΠϧ΍Docker Image͔Β؆୯ʹSBOM͕ੜ੒Ͱ͖Δ • ੜ੒ͨ͠SBOM͔Β੬ऑੑݕ஌͕Մೳ • SBOM͸ࠓ͸·࣮ͩݧஈ֊Ͱ՝୊΋ଟ͘ݟΒΕΔ • ੜ੒͢Δπʔϧͷ࢓༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ

    • ੜ੒πʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤੡඼ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ͸·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ
  44. ༨ஊ • SBOMͷະདྷͷ࿩

  45. SBOMͷະདྷͷ࿩ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻൑அͰ͖ΔΑ͏ʹ͢Δ͜ͱ

    Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠΋ͷɻ Software Attestation ͸ Digital Identity Attestation ͷҰछ
  46. Software Attestationͱ͸ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠΋ͷɻ

  47. ιϑτ΢ΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer

  48. ιϑτ΢ΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer

  49. Thank you for attention

  50. ͪͳΈʹ SBOMͷ࢓༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ࢓༷ʹߩݙ