利用代码基因组框架揭露供应链攻击.pdf

《利用代码基因组框架揭露供应链攻击.pdf》由会员分享，可在线阅读，更多相关《利用代码基因组框架揭露供应链攻击.pdf（30页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsUncovering Supply Chain Attack with Code Genome FrameworkDhilung Kirat,Jiyong Jang,Doug Schales,Ted Habeck,Ian Molloy,JR Rao#BHUSA BlackHatEvents2AI Supply Chain Security TeamIBM ResearchDhilungDhilung KiratKiratJiyongJiyong JangJang#BHUSA BlackHatEvents$foo install bar Signed w

2、ith a certificate.Lists dependencies.Do you trust it?3#BHUSA BlackHatEvents“You cant trust code that you did not totally create yourself.”Ken ThompsonTURING AWARD LECTURE Reflections on Trusting Trust To what extent should one trust a statement that a program is free of Trojan horses?Perhaps it is m

3、ore important to trust the people who wrote the software.KEN THOMPSON INTRODUCTION I thank the ACM for this award.I cant help but feel that I am receiving this honor for timing and serendip-ity as much as technical merit.UNIX 1 swept into popu-larity with an industry-wide change from central main-fr

4、ames to autonomous minis.I suspect that Daniel Bob-row 1 would be here instead of me if he could not afford a PDP-10 and had had to settle for a PDP-11.Moreover,the current state of UNIX is the result of the labors of a large number of people.There is an old adage,Dance with the one that brought you

5、,which means that I should talk about UNIX.I have not worked on mainstream UNIX in many years,yet I continue to get undeserved credit for the work of others.Therefore,I am not going to talk about UNIX,but I want to thank everyone who has contrib-uted.That brings me to Dennis Ritchie.Our collaboratio

6、n has been a thing of beauty.In the ten years that we have worked together,I can recall only one case of miscoordination of work.On that occasion,I discovered that we both had written the same 20-line assembly language program.I compared the sources and was as-tounded to find that they matched chara