Damian
Munoz
Ensuring Trusted Builds Through Transparent Origins: A Tool for Visualizing Provenance and Causal Relationships in OSS Software Supply Chains STEM
Abstract profile. Full document pending author claim.
Authors:
Damian Munoz
Date Created:
Not specified
Course Title:
Professor:
Not specified
About Paper:
Software supply chains are processes that involve multiple parties to build software artifacts and distribute them to computers. By virtue of their complexity, software supply chains have become inscrutable. This inscrutabilty allows hackers to maliciously tamper with software before it is delivered to consumers, which can cause devastating damage (e.g., SOLARBURST [1]). Inscrutability surfaces because the systems that manage these supply chains often lack comprehensive, consistent records of provenance - making it difficult to assess the integrity of a given build. Builds with questionable integrity may become irreproducible, untraceable, or drift over time, making it difficult to assess vulnerabilities. Prior efforts like in-toto provide cryptographic guarantees for metadata tracking, ensuring a tamper-evident record of how software is built. This work presents a visual implementation of a framework that captures how software is assembled by modeling the causal relationships between four core elements: Artifacts, Steps, Resources, and Principals - a structure that was formalized as the AStRA model by Eman Abu Ishgair et al. We use the AStRA model to catalogue and visualize metadata from real-world software supply chains, enabling efficient forensic analysis and trust assessment. To support this, we developed a normalization pipeline that maps heterogeneous metadata into the data structure defined by the AStRA model. The resulting data structure is then rendered as an interactive 3D visualization - a "causal constellation" - that shows how software artifacts were created, by whom, using which tools, and in what order. This visualization module serves as a cog in the larger SBOMCtl system. Keywords: Cybersecurity; Supply-Chains; Provenance; Metadata; Tamper-Evident Systems
Source:
Purdue University / 2025
Topics:
No topics listed
Co-authors:
Damian Munoz