SBOMを利用したソフトウェアサプライチェーンの保護

by Masahiro331

Slide 1

Slide 1 text

Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with SBOM CloudNative Security Conference 2022

Slide 2

Slide 2 text

ຊ೔ͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲ • Supply Chain Security ͱ͸ʁ • SBOMͱ͸ʁ • SBOMͷੜ੒ͱ੬ऑੑݕ஌ʹ͍ͭͯ • SBOM๊͕͑Δ՝୊

Slide 3

Slide 3 text

ࠓ೔࿩͞ͳ͍͜ͱ • SBOMͷৄࡉͳ࢓༷ͷղઆ • SBOMͷ੬ऑੑݕ஌ͷৄࡉ

Slide 4

Slide 4 text

ࣗݾ঺հ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project (Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜ੒ͱ੬ऑੑݕ஌Λ࣮૷

Slide 5

Slide 5 text

ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ޲

Slide 6

Slide 6 text

ࡢࠓͷ߈ܸͷಈ޲ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑ఺Λѱ༻ͨ͠߈ܸ͕໰୊ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠Δ৘ใηΩϡϦςΟͷ10େڴҖʹ΋ϥϯΫΠϯ͍ͯ͠Δ

Slide 7

Slide 7 text

ࡢࠓͷ߈ܸͷಈ޲ • Sonatype͔Β΋Ϩϙʔτ͕ग़͍ͯΔ • 2020೥ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ

Slide 8

Slide 8 text

Supply Chain Security ͱ͸ʁ

Slide 9

Slide 9 text

Supply Chain ͱ͸ • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ

Slide 10

Slide 10 text

Supply Chain ͱ͸ • ιϑτ΢ΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβ΁ಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor OSS Artifact Production Server Server / Network Machine

Slide 11

Slide 11 text

Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ • औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ   λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ΁ͷରࡦ   ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ

Slide 12

Slide 12 text

Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ • औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ   λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ   ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ιϑτ΢ΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓ೔ͷൣғ ͜Ε͸*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠

Slide 13

Slide 13 text

Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build Server Production Server Artifact OSS

Slide 14

Slide 14 text

Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕ վ͟Μ͞ΕΔՄೳੑ

Slide 15

Slide 15 text

Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ Artifact ࠓ೔ͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS

Slide 16

Slide 16 text

OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ৔߹͸ɺαʔόͰ೚ҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell (Java) Event-Stream (Node.js) • 200ສμ΢ϯϩʔυΛ௒͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟΢ΥϨοτΛ౪΋͏ͱ͢Δίʔυ͕஫ೖ͞Ε͍ͯͨ

Slide 17

Slide 17 text

OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ௚઀ґଘ ਪҠతґଘ

Slide 18

Slide 18 text

OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔...

Slide 19

Slide 19 text

OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏

Slide 20

Slide 20 text

SBOMͱ͸ʁ

Slide 21

Slide 21 text

SBOMͱ͸ • ιϑτ΢ΣΞͷߏ੒ཁૉΛ෦඼දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ੒͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ࢓༷͸4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX (Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub ஌Βͳ͍…

Slide 22

Slide 22 text

SBOMʹ͍ͭͯ • ιϑτ΢ΣΞͷߏ੒΍ґଘؔ܎Λڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ

Slide 23

Slide 23 text

ԿͷͨΊʹSBOMΛ࢖͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕ஌ͳͲ͕Մೳ ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ

Slide 24

Slide 24 text

ͦͷଞͷ༻్ • ։ൃϕϯμʔ΍੡඼ϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτ΢ΣΞɾϥΠηϯεͷ؅ཧ Vendor A Vendor B Vendor C Engineer ੡඼AͷSBOM ιϑτ΢ΣΞBͷSBOM ੡඼CͷSBOM

Slide 25

Slide 25 text

ੈͷதͷಈ޲ • ถࠃͰ͸ɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠͸SBOMͷ࡞੒Λཁ݅Խ͍ͯ͠Δ • ೔ຊͰ΋ɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ

Slide 26

Slide 26 text

σϞ

Slide 27

Slide 27 text

SBOMͷੜ੒ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯

Slide 28

Slide 28 text

σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ Container

Slide 29

Slide 29 text

σϞͷղઆ ղੳ ग़ྗ • ίϯςφ಺ͷɺOSύοέʔδ΍ΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application Application Library Application Application Library Container

Slide 30

Slide 30 text

ิ଍ • CycloneDXͷSBOMͰ͸ɺ෦඼ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼௚ந৅౓͕ߴͯ͘ɺ࣮૷ͨ͠΋ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍

Slide 31

Slide 31 text

SBOMΛ༻͍ͨ੬ऑੑݕ஌ ࡞੒ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯

Slide 32

Slide 32 text

σϞͷղઆ Container OS OS Package Application Application Library Application Application Library CycloneDX ੬ऑੑݕ஌ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ஌

Slide 33

Slide 33 text

͍··Ͱ ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ੬ऑੑݕ஌

Slide 34

Slide 34 text

͜Ε͔Β ෆಛఆଟ਺ͷιϑτ΢ΣΞϞδϡʔϧ ར׆༻ʢྫ͑͹੬ऑੑݕ஌ʣ ଞͷ׆༻ํ๏΋ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ

Slide 35

Slide 35 text

SBOMͰશͯͷιϑτ΢ΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!

Slide 36

Slide 36 text

ͱ͸ͳΒͳ͍…

Slide 37

Slide 37 text

࣮ࡍʹ SBOM Λੜ੒ɺݕ஌͢ΔπʔϧΛ ։ൃ͢Δͱɺଟ਺ͷ՝୊Λݟ͚ͭΔ (CycloneDXͷࣄྫΛ঺հ)

Slide 38

Slide 38 text

1. શͯͷґଘؔ܎ΛՄࢹԽͰ͖ΔΘ͚Ͱ͸ͳ͍ • ίϯςφΛղੳ͢ΔTrivy΍GrypeͳͲͷπʔϧͰ͸ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱ͸Ͱ͖ͳ͍ ΋ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱ΋Ͱ͖ͳ͍

Slide 39

Slide 39 text

2. ʮඪ४ϑΥʔϚοτʯޓ׵ੑ͕͋Δͱ͸ݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓ׵ੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ΋ͪΖΜ͓ޓ͍ͷSBOMͰ͸ਖ਼͘͠ݕ஌Ͱ͖ͳ͍

Slide 40

Slide 40 text

3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ • ͦ΋ͦ΋ґଘؔ܎ͱ͸ʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔ܎΋ଘࡏ • μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴΍HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ

Slide 41

Slide 41 text

3. ෦඼ͷґଘؔ܎ͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹ͸ෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ܎ DependencyʹΑΔґଘؔ܎

Slide 42

Slide 42 text

4. ࢓༷͕े෼Ͱ͸ͳ͍͜ͱ΋͋Δ • SBOM͸੬ऑੑΛݕ஌͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ࢓༷Ͱ͸ਖ਼͘͠੬ऑੑݕ஌Ͱ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰ͸଍Γͳ͍

Slide 43

Slide 43 text

·ͱΊ • ύοέʔδߏ੒ϑΝΠϧ΍Docker Image͔Β؆୯ʹSBOM͕ੜ੒Ͱ͖Δ • ੜ੒ͨ͠SBOM͔Β੬ऑੑݕ஌͕Մೳ • SBOM͸ࠓ͸·࣮ͩݧஈ֊Ͱ՝୊΋ଟ͘ݟΒΕΔ • ੜ੒͢Δπʔϧͷ࢓༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ • ੜ੒πʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤੡඼ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ͸·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ

Slide 44

Slide 44 text

༨ஊ • SBOMͷະདྷͷ࿩

Slide 45

Slide 45 text

SBOMͷະདྷͷ࿩ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻൑அͰ͖ΔΑ͏ʹ͢Δ͜ͱ Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠΋ͷɻ Software Attestation ͸ Digital Identity Attestation ͷҰछ

Slide 46

Slide 46 text

Software Attestationͱ͸ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠΋ͷɻ

Slide 47

Slide 47 text

ιϑτ΢ΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτ΢ΣΞ΍ίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩ؅ཧ͢Δ࢓૊Έ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Thank you for attention

Slide 50

Slide 50 text

ͪͳΈʹ SBOMͷ࢓༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ࢓༷ʹߩݙ