混源操作系统供应链安全风险评估方法研究

doi:10.3969/j.issn.1671-1122.2023.05.006

摘要/Abstract

摘要：

当前软件供应链安全事件频发，对其进行安全风险评估可以发现潜在风险，这是管理安全风险和预防安全事件的重要手段之一。作为信息系统的核心基础软件，混源操作系统广泛应用于政务、电力、金融和通信等重要领域，其供应链安全风险引起业内的高度重视。混源操作系统具有代码来源多样、代码规模大、结构和组件依赖关系复杂的特点，而现有的软件供应链安全风险评估方法不够完善，用于评估供应链安全风险的评估指标不完全适用于混源操作系统。为了解决该问题，文章提出了供应链安全的可溯性、可用性和安全性保障目标，根据这些保障目标分析影响混源操作系统供应链安全的风险因素，并设计了一个可度量的指标体系以评估其安全风险。文章通过实例验证了该指标体系的有效性，并总结阐述了一些可用于评估重要指标的相关技术手段和工具。

关键词: 混源, 操作系统, 供应链安全, 风险因素

Abstract:

At present, software supply chain security incidents occur frequently, and conducting security risk assessments can identify potential risks. This is an important method to manage security risks and prevent security incidents. As the core foundational software of information systems, the mixed source operating system (MSOS) is widely used in the government, power, finance, communication and other important fields, and its supply chain should be paid more attention to. Due to the diverse code sources, large code scale, and complex structure and component dependencies of MSOS, existing software supply chain security risk assessment methods are not fully applicable to MSOS in terms of ensuring goals and indicator systems. To address this issue, the article proposed traceability, availability and security assurance objectives for supply chain security. Based on these assurance objectives, risk factors affecting the supply chain security of MSOS was analyzed, and a measurable indicator system was designed to evaluate its security risk. The effectiveness of the indicator system was verified through examples, and some relevant technical means and tools that can be used to evaluate important indicators were summarized and elaborated.

Key words: mixed source, operating system, security of supply chain, risk factors

中图分类号:

TP309

赵俊, 任怡, 李宝, 谭郁松. 混源操作系统供应链安全风险评估方法研究[J]. 信息网络安全, 2023, 23(5): 50-61.

ZHAO Jun, REN Yi, LI Bao, TAN Yusong. Research on the Supply Chain Security Risk Assessment Methods for Mixed Source Operating System[J]. Netinfo Security, 2023, 23(5): 50-61.

图/表 7

图1

表1

图2

图3

图4

图5

表2

参考文献 22

[1]	Qi’anxin Code Security Laboratory. 2022 China Software Supply Chain Security Analysis Report[EB/OL]. (2022-07-26)[2022-11-19]. https://www.qianxin.com/threat/r-portdetail?report_id-161.
	奇安信代码安全实验室. 2022中国软件供应链安全分析报告[EB/OL]. (2022-07-26)[2022-11-19]. https://www.qianxin.com/threat/r-portdetail?report_id-161.
[2]	MARC O, HENRIK P, ARNOLD S, et al. A Review of Open Source Software Supply Chain Attacks[EB/OL]. (2020-05-19)[2022-11-13]. https://arxiv.org/abs/2005.09535.
[3]	BLESSMAN D. Protecting Your Software Supply Chain[J]. Risk Management, 2019, 66(1): 10-11.
[4]	ELLISON R J, WOODY C. Supply-Chain Risk Management: Incorporating Security into Software Development[C]// IEEE. 2010 43rd Hawaii International Conference on System Sciences. New York: IEEE, 2010: 1-10.
[5]	YAN Dapeng, NIU Yuqing, LIU Kui, et al. Estimating the Attack Surface from Residual Vulnerabilities in Open Source Software Supply Chain[EB/OL]. (2021-12-06)[2022-11-13]. https://ieeexplore.ieee.org/document/9724801.
[6]	BARTOL N. Cyber Supply Chain Security Practices DNA-Filling in the Puzzle Using a Diverse Set of Disciplines(Article)[J]. Technovation, 2014, 34(7): 354-361. doi: 10.1016/j.technovation.2014.01.005 URL
[7]	ZHAI Yanfen, ZENG Jin, YUAN Wei, et al. Software Supply Chain Risk Assessment System and Practice[J]. Cybersecurity & Informatization, 2022(2): 33-34.
[8]	ALBERTS C J, DOROFEE A J, CREEL R, et al. A Systemic Approach for Assessing Software Supply-Chain Risk[C]// IEEE. 2011 44th Hawaii International Conference on System Sciences. Piscataway: IEEE, 2011: 1-8.
[9]	REN Yi, GUAN Jianbo, MA Jun, et al. CLASC: A Changelog Based Automatic Code Source Classification Method for Operating System Packages[C]// IEEE. 2019 26th Asia-Pacific Software Engineering Conference (APSEC). Piscataway: IEEE, 2019: 378-385.
[10]	ZHAO Liang. Analysis of Impact of Open Source Components in Mixed Source Software Projects[J]. Computer Science, 2020, 47(S2): 541-543, 583.
	赵亮. 混源软件项目中的开源组件影响分析[J]. 计算机科学, 2020, 47(S2): 541-543, 583.
[11]	LIANG Guanyu, WU Yanjun, WU Jingzheng, et al. Open Source Software Supply Chain for Reliability Assurance of Operating Systems[J]. Journal of Software, 2020, 31(10): 3056-3073.
	梁冠宇, 武延军, 吴敬征, 等. 面向操作系统可靠性保障的开源软件供应链[J]. 软件学报, 2020, 31(10): 3056-3073.
[12]	POORNALINGA K S, RAJKUMAR P. Survey on Continuous Integration, Deployment and Delivery in Agile and DevOps Practices[J]. International Journal of Computer Sciences and Engineering, 2016, 4(4): 213-216.
[13]	TAVANA M, SOLTANIFAR M, SANTOS-ARTEAGA F J. Analytical Hierarchy Process: Revolution and Evolution[EB/OL]. (2021-12-02)[2022-11-13]. https://link.springer.com/article/10.1007/s10479-021-04432-2.
[14]	Xin’anmeng Company, NSFOCUS. White Paper on Software Supply Chain Security Technology[EB/OL]. (2022-07-18)[2022-11-13]. https://www.nsfocus.com.cn/html-2022/263_0718/1-86.html.
	新安盟公司,绿盟科技公司. 软件供应链安全技术白皮书[EB/OL]. (2022-07-18)[2022-11-13]. https://www.nsfocus.com.cn/html-2022/263_0718/1-86.html.
[15]	JANG Jiyong, AGRAWAL A, BRUMLEY D. ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions[C]// IEEE. 2012 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2012: 48-62.
[16]	CRISTIAN C, DANIEL D, DAWSON E. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs[C]// USENIX. Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation(OSDI’08). Berkeley: USENIX, 2008: 209-224.
[17]	ENGLER D, CHEN D Y, HALLEM S, et al. Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code[J]. SIGPS Operating Systems Review, 2001, 35(5): 57-72.
[18]	SUTTON M, GREENE A, AMINI P. Fuzzing: Brute Force Vulnerability Discovery[M]. London: Addison-Wesley Professional, 2007.
[19]	NEWSOME J. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software[J]. Chinese Journal of Engineering Mathematics, 2005, 29(5): 720-724.
[20]	GUO Min, NI Chen, LU Lin. The Practice of Interactive Application Security Testing in Level Evaluation[J]. Netinfo Security, 2019 (S1): 56-59.
	郭敏, 倪辰, 陆琳. 交互式应用安全测试在等级测评中的实践[J]. 信息网络安全, 2019(S1):56-59.
[21]	YU Bo, FANG Ying, YANG Qiang, et al. A Survey of Malware Behavior Description and Analysis[J]. Frontiers of Information Technology & Electronic Engineering, 2018, 19(5): 583-603.
[22]	ROYCE D. The Art of Network Penetration Test[M] Beijing: Beijing University of Aeronautics and Astronautics Press, 2022.
	ROYCE D. 网络渗透测试的艺术[M]. 北京: 北京航空航天大学出版社, 2022.

风险因素	供应链保障目标	供应链实体要素
可溯性风险	可溯性	全要素
管制风险	可用性	代码工具
知识产权风险		代码
运营风险		开源社区生产组织
植入和篡改风险	安全性	代码
预留后门风险		代码
代码脆弱性风险		代码

评估指标	风险因素	评估对象	评估结果
分析文档	可溯性风险	对软件包的供应方、版本迭代、许可协议和依赖关系等信息掌握是否清楚，对源代码是否有完善的分析与注释	A级：80~100分 B级：70~79分 C级：60~69分 D级：60分以下
地理位置	管制风险	项目的实际控制者及发布平台所在地是否有针对信息技术领域产品出口的相关禁令
开源许可协议	知识产权风险	项目采用什么类型的开源许可协议（开放型、弱传染型、强传染型）以及项目内各组件之间是否存在许可协议冲突
贡献者数量	运营风险	项目的贡献维护者数量与项目规模的比例是否保持稳定
软件包更新频率	运营风险	项目是否能保持稳定更新
归属性质	运营风险、预留后门风险	项目归属于个人控制还是归属于开源组织，若归属于开源组织，开源组织的规模如何
漏洞响应速度	运营风险、代码脆弱性风险	项目中漏洞的平均修复时间
平台安全性	植入和篡改风险	项目源代码发布平台的安全加固措施是否完善，是否采用符合标准的安全协议和其他完整性校验手段
历史漏洞	代码脆弱性风险	过去3年内项目中包含的CVE漏洞数量与项目有效代码行数的比值
安全扫描	植入和篡改风险、预留后门风险、代码脆弱性风险	使用安全测试工具对项目进行安全扫描，获取扫描发现的安全漏洞的CVSS评分