信息网络安全 ›› 2023, Vol. 23 ›› Issue (5): 50-61.doi: 10.3969/j.issn.1671-1122.2023.05.006

• 技术研究 • 上一篇    下一篇

混源操作系统供应链安全风险评估方法研究

赵俊, 任怡(), 李宝, 谭郁松   

  1. 国防科技大学计算机学院,长沙 410073
  • 收稿日期:2022-12-27 出版日期:2023-05-10 发布日期:2023-05-15
  • 通讯作者: 任怡 E-mail:renyi@nudt.edu.cn
  • 作者简介:赵俊(1990—),男,新疆,硕士研究生,主要研究方向为操作系统与软件供应链|任怡(1977—),女,陕西,研究员,博士,主要研究方向为操作系统、大规模混源软件代码特征分析、云计算与虚拟化|李宝(1982—),男,山东,副研究员,博士,主要研究方向为云边协同计算、操作系统和智能处理|谭郁松(1976—),男,江西,研究员,博士,主要研究方向为知识图谱、操作系统和计算机体系结构
  • 基金资助:
    国家自然科学基金(U19A2060)

Research on the Supply Chain Security Risk Assessment Methods for Mixed Source Operating System

ZHAO Jun, REN Yi(), LI Bao, TAN Yusong   

  1. College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China
  • Received:2022-12-27 Online:2023-05-10 Published:2023-05-15
  • Contact: REN Yi E-mail:renyi@nudt.edu.cn

摘要:

当前软件供应链安全事件频发,对其进行安全风险评估可以发现潜在风险,这是管理安全风险和预防安全事件的重要手段之一。作为信息系统的核心基础软件,混源操作系统广泛应用于政务、电力、金融和通信等重要领域,其供应链安全风险引起业内的高度重视。混源操作系统具有代码来源多样、代码规模大、结构和组件依赖关系复杂的特点,而现有的软件供应链安全风险评估方法不够完善,用于评估供应链安全风险的评估指标不完全适用于混源操作系统。为了解决该问题,文章提出了供应链安全的可溯性、可用性和安全性保障目标,根据这些保障目标分析影响混源操作系统供应链安全的风险因素,并设计了一个可度量的指标体系以评估其安全风险。文章通过实例验证了该指标体系的有效性,并总结阐述了一些可用于评估重要指标的相关技术手段和工具。

关键词: 混源, 操作系统, 供应链安全, 风险因素

Abstract:

At present, software supply chain security incidents occur frequently, and conducting security risk assessments can identify potential risks. This is an important method to manage security risks and prevent security incidents. As the core foundational software of information systems, the mixed source operating system (MSOS) is widely used in the government, power, finance, communication and other important fields, and its supply chain should be paid more attention to. Due to the diverse code sources, large code scale, and complex structure and component dependencies of MSOS, existing software supply chain security risk assessment methods are not fully applicable to MSOS in terms of ensuring goals and indicator systems. To address this issue, the article proposed traceability, availability and security assurance objectives for supply chain security. Based on these assurance objectives, risk factors affecting the supply chain security of MSOS was analyzed, and a measurable indicator system was designed to evaluate its security risk. The effectiveness of the indicator system was verified through examples, and some relevant technical means and tools that can be used to evaluate important indicators were summarized and elaborated.

Key words: mixed source, operating system, security of supply chain, risk factors

中图分类号: