Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

50 Years of Open Source Software Supply Chain Security: From Multics to the xz Attack

2025-04-07

This article explores the challenges of open source software supply chain security over the past five decades. From potential backdoors identified in a 1974 Multics security evaluation to the 2024 xz compression library backdoor attack, the problem persists. Russ Cox, a core developer of the Go programming language, draws on personal experience and industry examples to discuss definitions of supply chain attacks and vulnerabilities, the complexity of software supply chains, and methods for strengthening defenses. These include software authentication, reproducible builds, rapid vulnerability discovery and patching, and vulnerability prevention strategies. The article highlights the underfunding of open source software, leaving projects vulnerable to malicious actors, illustrated by the xz attack. Ultimately, the author calls for increased funding and improved security practices in open source to address evolving threats.

Read more
(queue.acm.org)
Tech Vulnerabilities

AWS's Systems Correctness: A Multifaceted Approach

2025-04-01

Amazon Web Services (AWS) employs a robust system correctness strategy combining formal and semi-formal methods to deliver reliable services. Initially relying on TLA+ for modeling critical systems, AWS identified and eliminated subtle bugs early in development. The introduction of the P programming language, a more developer-friendly state machine language, further enhanced their approach, playing a crucial role in migrations like Amazon S3's move to strong consistency. Lightweight methods such as property-based testing, deterministic simulation, and fuzzing are also widely used. AWS further bolstered resilience with the launch of FIS (Fault Injection Service). For critical security boundaries, formal proofs, as seen in the development of Cedar and Firecracker, guarantee correctness. This multifaceted approach not only ensures reliability but also drives performance optimization and cost reduction.

Read more
(queue.acm.org)
Development System Correctness Formal Methods