2nd KTH Workshop on the Software Supply Chain

workshop cover image

Welcome to the 2nd KTH Workshop on the Software Supply Chain. This workshop is organized in the context of the CHAINS research project.


Time Event
0900 Introduction
0930 Keynote "End User Supply Chain Attacks and Defenses", by Christian Collberg (slides)
1030 Break
1100 "A (slightly) Wider View on Software Supply", Mats Jonsson (SEB)
1130 "Challenges of Producing Software Bill Of Materials for Java" by Aman Sharma, Martin Wittlinger, et al (KTH) (slides)
1200 Lunch
1400 Keynote "Building Blocks for a Safe(r) Open Source Software Supply Chain: Reproducible Builds and Software Heritage", by Stefano Zacchiroli (slides)
1500 Fika
1530 "The Software Supply Chain of Crypto and Decentralization" by Martin Monperrus (KTH)
1600 Talk by Mark Strande (Klarna)
1630 Closing

Keynote speakers

Stefano Zacchiroli

stefano zacchiroli

Building Blocks for a Safe(r) Open Source Software Supply Chain:Reproducible Builds and Software Heritage


Securing the software supply chain, in particular when it comes to its free/open source software (FOSS) components, is all the rage now. Applied researchers, industry consortia, and practitioners alike are trying out a variety of approaches looking for the ones that will stick. In this talk we will review two building blocks for a safe(r) FOSS supply chain that are seeing significant adoption.

On the one hand Reproducible Builds [1] enables downstream users of FOSS products, whose source code they trust, to establish trust in binary versions of the same products built by untrusted 3rd parties. On the other hand Software Heritage [2] has assembled the largest public archive of software source code a version control system information, providing traceability at the scale of public source code with strong integrity guarantees.

[1] https://reproducible-builds.org/

[2] https://www.softwareheritage.org/

Speaker Bio

Stefano Zacchiroli is full professor of computer science at Télécom Paris, Polytechnic Institute of Paris. His current research interests span digital commons, open source software engineering, computer security, and the software supply chain. He is co-founder and CTO of Software Heritage, the largest public archive of software source code. He is a Debian developer since 2001, where he served as Debian project leader from 2010 to 2013, and a member of the Reproducible Builds steering committee. He is a former board director of the Open Source Initiative (OSI) and recipient of the 2015 O’Reilly Open Source Award.

Christian Collberg

christian collberg

End User Supply Chain Attacks and Defenses


In this talk, we will discuss supply chain attacks that occur at two particular points of the chain. First, we will consider attacks by compromised build tools (i.e. perpetrated by the tool author), and second, attacks that occur at the end of the chain, i.e perpetrated by application end-users. We will then consider Software Protection algorithms that can mitigate such attacks, including diversification, watermarking, tamperproofing, and obfuscation. Finally, we will discuss the design and use of the Tigress software protection tool.

Speaker Bio

Christian Collberg is a Professor and Interim Head of Department in the Department of Computer Science at the University of Arizona. His main research interest is computer security, in particular the so-called Man-At-The-End Attack which occurs in settings where an adversary has physical access to a device and compromises it by tampering with its hardware or software. He received his PhD from Lund University, Sweden, and, prior to moving to Arizona, taught for 5 years at the University of Auckland, New Zealand. He is the author of the first comprehensive textbook on software protection, “Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection” and the premier open software protection tool, “Tigress” (https://tigress.wtf).