![]() ![]() A supply chain orchestrator signs the image to be uploaded, and its associated in-toto metadata, and maps the relevant metadata to a corresponding layout. The whitepaper offers a very high-level conceptual design of how Scudo works (see diagram). in-toto is also a core part of SLSA, the industry’s leading software supply chain best practices framework. Even SolarWinds, which ignited much of the recent concern about supply chain vulnerabilities when its software update mechanism inadvertently introduced malware that led to massive data breaches, adopted in-toto as part of its re-designed security system. While in-toto is new to the automotive space, it has been widely integrated into open source projects, such as Sigstore, GitLab, and Reproducible Builds. For the past five years, Uptane has been a mainstay in secure software update systems used by a number of original equipment manufacturers (OEMs). Scudo brings to the solution of supply chain insecurity two established open source technologies. If the signature or the information in the metadata is different from what was intended, Scudo will reject it. This metadata attests to the authenticity of the image and allows a client to verify who performed each step and in what order. It can offer this assurance because of the signed metadata in-toto generates at each step in the development, packaging, testing and delivery of a software image. The resulting framework offers a timely response to threats against an emerging attack surface-automotive electronic control units or ECUs- at a point in time when both industry standards and government regulations are calling for improved protection of the software lifecycle across all industries.Īs described in Scudo: A Proposal for Resolving Software Supply Chain Insecurities in Vehicles, an Uptane whitepaper originally published May 22, 2022, and updated in July, the framework ensures that the images being uploaded by the Uptane framework are free of tampering. Named after the Italian word for shield, Scudo integrates the compromise resilience and secure delivery mechanisms of Uptane with the proven supply chain security mechanism of in-toto. This spring, the Uptane project introduced Scudo, a comprehensive secure framework that can deliver end-to-end software supply chain protection for computing units on automobiles. Scudo: End-to- End Vehicle Software Security from Uptane and in-toto ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |