Welcome to the 2nd KTH Workshop on the Software Supply Chain. This workshop is organized in the context of the CHAINS research project.
|0930||Keynote "End User Supply Chain Attacks and Defenses", by Christian Collberg (slides)|
|1100||"A (slightly) Wider View on Software Supply", Mats Jonsson (SEB)|
"Challenges of Producing Software Bill Of Materials for Java" by Aman Sharma, Martin Wittlinger, et al (KTH)
|1400||Keynote "Building Blocks for a Safe(r) Open Source Software Supply Chain: Reproducible Builds and Software Heritage", by Stefano Zacchiroli (slides)|
"The Software Supply Chain of Crypto and Decentralization" by Martin Monperrus (KTH)
|1600||Talk by Mark Strande (Klarna)|
Building Blocks for a Safe(r) Open Source Software Supply Chain:Reproducible Builds and Software Heritage
Securing the software supply chain, in particular when it comes to its free/open source software (FOSS) components, is all the rage now. Applied researchers, industry consortia, and practitioners alike are trying out a variety of approaches looking for the ones that will stick. In this talk we will review two building blocks for a safe(r) FOSS supply chain that are seeing significant adoption.
On the one hand Reproducible Builds  enables downstream users of FOSS products, whose source code they trust, to establish trust in binary versions of the same products built by untrusted 3rd parties. On the other hand Software Heritage  has assembled the largest public archive of software source code a version control system information, providing traceability at the scale of public source code with strong integrity guarantees.
Stefano Zacchiroli is full professor of computer science at Télécom Paris, Polytechnic Institute of Paris. His current research interests span digital commons, open source software engineering, computer security, and the software supply chain. He is co-founder and CTO of Software Heritage, the largest public archive of software source code. He is a Debian developer since 2001, where he served as Debian project leader from 2010 to 2013, and a member of the Reproducible Builds steering committee. He is a former board director of the Open Source Initiative (OSI) and recipient of the 2015 O’Reilly Open Source Award.
End User Supply Chain Attacks and Defenses
In this talk, we will discuss supply chain attacks that occur at two particular points of the chain. First, we will consider attacks by compromised build tools (i.e. perpetrated by the tool author), and second, attacks that occur at the end of the chain, i.e perpetrated by application end-users. We will then consider Software Protection algorithms that can mitigate such attacks, including diversification, watermarking, tamperproofing, and obfuscation. Finally, we will discuss the design and use of the Tigress software protection tool.
Christian Collberg is a Professor and Interim Head of Department in the Department of Computer Science at the University of Arizona. His main research interest is computer security, in particular the so-called Man-At-The-End Attack which occurs in settings where an adversary has physical access to a device and compromises it by tampering with its hardware or software. He received his PhD from Lund University, Sweden, and, prior to moving to Arizona, taught for 5 years at the University of Auckland, New Zealand. He is the author of the first comprehensive textbook on software protection, “Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection” and the premier open software protection tool, “Tigress” (https://tigress.wtf).