SCAN Source Code Attestation Network Vinod Panicker Distinguished

  • Slides: 26
Download presentation
SCAN (Source Code Attestation Network) Vinod Panicker Distinguished Member Technical Staff 17 -12 -2017

SCAN (Source Code Attestation Network) Vinod Panicker Distinguished Member Technical Staff 17 -12 -2017 © 2017 Wipro wipro. com confidential

Vinod Panicker About me Expert in open source , automation, AI and crowd Sourcing

Vinod Panicker About me Expert in open source , automation, AI and crowd Sourcing platforms with 18+ years of experience in software development. Co-Creator • Openconnect Virtual Env (OVE): Environment Provisioning Solution. • Openconnect : Inner sourcing platform. • Cyber Scraper : Digital Asset Management for Maintenance projects • Wipro UT, Wipro. Code. Checker And few more. . Specializations • Mentoring open source Projects, Expertise in code partitioning , open source licensing and open source research. Patents Granted: Cyber Scraper : System and method for automating identification and download of web assets or web artefacts. Filed : 269089: Method and system for generation of reusable design patterns 275183: Source Code Auditor with a customized Rules Builder

Open Source is here to stay… • 65 % companies contributing to open source

Open Source is here to stay… • 65 % companies contributing to open source * • 59 % doing so to gain a competitive edge…. So is there a lack of TRUST ? ? ? *Open Source Survey, https: //www. blackducksoftware. com/2016 -future-of-open-source

Open Source Code Management Systems Monitor and alert when new threats are reported Fully

Open Source Code Management Systems Monitor and alert when new threats are reported Fully discover all open source in your code Set and enforce open source policies Map components to known vulnerabilities Identify license and component quality risks Seamless integration into your Dev. Ops environment

SCAN Source Code Attestation Network (SCAN) is a proposed code attestation network to self-attest

SCAN Source Code Attestation Network (SCAN) is a proposed code attestation network to self-attest open source code. SCAN makes use of Decentralized Digital Identity to determine the provenance of source code. SCAN is a public permissioned Blockchain network that can help in the validation of verifiable claims with respect to origin, license and usage of source code. SCAN will help in determining source code provenance in a transparent manner.

SCAN: Features Distributed Ledger as world view of open source code Self Attestation of

SCAN: Features Distributed Ledger as world view of open source code Self Attestation of Source Code Represents Source code as Source code Unit (SCU) Peer 2 Peer Attestation Store Hub -Registry DID/DDO/Proofs Trust Anchor Model ( Issuer, Verifier , Prover) ZKP (Zero Knowledge Proofs) SCAN Services • Attestation • Repudiation • Validation

How Does SCAN Work Observer Nodes of the Ledger Validator Nodes of the Ledger

How Does SCAN Work Observer Nodes of the Ledger Validator Nodes of the Ledger READ Scan agent Claim Request PEER-2 -PEER ATTESTATION Scan agent Org 3 (Holder) Owner Org 1 (Actuator) WRITE Scan agent Org 2 (Prover) Verify Claim

SCAN Components Off-chain Components Blockchain Protocol Layer • • Ledger Validator Nodes Observer Nodes

SCAN Components Off-chain Components Blockchain Protocol Layer • • Ledger Validator Nodes Observer Nodes Agents • Source code Parsers (AST) • DID generators for SCU • SCU Combiner : Managing Granularity of SCU • Deduplication Tools • Audit Tools/System Connectors

TRUST Model Repo-Registry (Issuer) SCAN Client SCAN Connectors Org 1 (Actuator) Wrapper SCAN (Verifier)

TRUST Model Repo-Registry (Issuer) SCAN Client SCAN Connectors Org 1 (Actuator) Wrapper SCAN (Verifier) Wrapper agent SCAN Client agent wallet SCAN Connectors Ledger Org 3 (Holder) SCAN Client Wrapper agent wallet SCAN Connectors Org 2 (Prover) SCAN Client

SCAN Services Provides proofs of Code Commits, open source Usage , open source License

SCAN Services Provides proofs of Code Commits, open source Usage , open source License based on verified claims raise against public source code repositories. SCAN Services Overview: Uploads Source Code Units Shares SCU DIDs 3 rd party Service providers Request Claims Ø Organization uploads SCU -DIDs Ø Claims on DID SCU are verified and selfsigned by Validator Nodes & Trust Anchors Ø Digital, hashed representation SCU Ø Encrypted SCU DIDs will be stored in Blockchain Ø When SCU Owners provide consent then the SCU proofs are shared with a 3 rd party after digital handshake SCU DID encrypted and stored in Storage Hub

Consensus (built-in) • Consensus based on: • Proof Of Code Commit (POCC) • Based

Consensus (built-in) • Consensus based on: • Proof Of Code Commit (POCC) • Based on Public Code Repositories • Proof Of open source Usage (POU) • Based on Verified claims in SCAN ID Hub as usage proof • Proof Of Applied open source License (POAL) • Precedence of license made available

Sustaining SCAN • • Community driven governance model Rotation of Foundation Members Credibility on

Sustaining SCAN • • Community driven governance model Rotation of Foundation Members Credibility on SCAN Trust Anchor (Add more participants) Incentives sharing Proofs Organize Events, Hack fest to upload public repos Open source from day one.

SCAN Roll out M 3 : Foundation , Extension and Plugin - Launch Foundation

SCAN Roll out M 3 : Foundation , Extension and Plugin - Launch Foundation - Community Initiatives M 2 : Develop Client Components - Services Plugins - Libraries Deduplication - Extend to other - CLi’s Repositories and - APIs Existing Tools - Test. Nets M 1 : Prototype SCAN metadata capture SCAN Connectors, SCAN - Dashboard DApp Agents POCC, POU, POAL Self attestation, Trust Anchors SCU DID/DDO on Storage Hub SCU DID Verification via SCAN Bootstrap SCAN Sustaining Community Building Expanding SCAN -Adding Participants M 4 : Offer SCAN based Services - Source code Attestation - Repudiation - Validation - Foundation - Crowd sourcing SCAN Services SCAN - Incentives to organization - First to disclose - Claim SCU

Summary of Benefits • SCAN has the potential to disintermediate the code audit process.

Summary of Benefits • SCAN has the potential to disintermediate the code audit process. • Improves developer productivity. • Decentralized Digital Identity for Source Code • Disclose only what you must about your code with ZKP’s. • Enables better collaboration between organizations • Can put together a world view of open source code giving due credit to original authors and contributors. .

Thank you… Vinod Panicker Distinguished Member Technical Staff -SM Linkedin/vinodpanicker © 2017 Wipro wipro.

Thank you… Vinod Panicker Distinguished Member Technical Staff -SM Linkedin/vinodpanicker © 2017 Wipro wipro. com confidential 15

Open Source Code Strategy • • • Open vs Closed source project execution strategies.

Open Source Code Strategy • • • Open vs Closed source project execution strategies. Break access barriers , dropping costs to gain competitive edge. Subscription Models. Establish Trust and Credibility. Communities based product delivery and support models.

Foundation • • Community Support Governance Sustenance Not for Profit.

Foundation • • Community Support Governance Sustenance Not for Profit.

Design Considerations • • Pluggable/Swappable modules. API based Access. Open source and scales well

Design Considerations • • Pluggable/Swappable modules. API based Access. Open source and scales well on commodity hardware. Comply with open standards Pluggable Block chain components, Supports multiple Block chain protocol, Common Tool chain for Development, Deployment and Operations for multiple Block chain Frameworks. On Premise On Cloud Automated Nodes & Network Provisioning Designed for Crowdsourcing

Type of Claims • Has_Duplicate • Has_Usage • Has_Valid_License

Type of Claims • Has_Duplicate • Has_Usage • Has_Valid_License

SCU -DID

SCU -DID

Open Source Code Management Systems Monitor and alert when new threats are reported Fully

Open Source Code Management Systems Monitor and alert when new threats are reported Fully discover all open source in your code Set and enforce open source policies Map components to known vulnerabilities Identify license and component quality risks Seamless integration into your Dev. Ops environment

SCU - DDO

SCU - DDO

Blockchain Identity

Blockchain Identity

DI Stack

DI Stack

Roadmap M 1 : Prototype SCAN metadata capture SCAN Connectors, SCAN - Agents POCC,

Roadmap M 1 : Prototype SCAN metadata capture SCAN Connectors, SCAN - Agents POCC, POU, POAL Self attestation, Trust Anchors SCU DID/DDO on Storage Hub SCU DID Verification via SCAN M 2 : Foundation , Extension and Plugin - Launch Foundation - Community Initiatives - Services Plugins Deduplication - Extend to other Repositories and Existing Tools M 3 : Develop Client Components - Libraries - CLi’s - APIs - Test. Nets - Dashboard DApp M 4 : Offer SCAN based Services - Source code Attestation - Repudiation - Validation © 2017 Wipro wipro. com confidential 25

Technologies • Hyperledger project as base Blockchain framework • Distributed Apps: Javascripts Framework, React.

Technologies • Hyperledger project as base Blockchain framework • Distributed Apps: Javascripts Framework, React. JS • Hybrid Mobile App • Dev. Ops Tool: Ansible/Docker :

NEW PROCEDURE NOTE ATTESTATION PROCESS Procedure Note AttestationNEW PROCEDURE NOTE ATTESTATION PROCESS Procedure Note Attestation
CAT Scan MRI Scan EEG PET Scan fCAT Scan MRI Scan EEG PET Scan f
Chapter 17 Wireless LANs by Sherry O PanickerChapter 17 Wireless LANs by Sherry O Panicker
SPE Distinguished Lecturer Program The SPE Distinguished LecturerSPE Distinguished Lecturer Program The SPE Distinguished Lecturer
SPE Distinguished Lecturer Program The SPE Distinguished LecturerSPE Distinguished Lecturer Program The SPE Distinguished Lecturer
Distinguished Toastmasters DTM The Distinguished Toastmaster DTM awardDistinguished Toastmasters DTM The Distinguished Toastmaster DTM award
Distinguished Club Program DCP Gap Analysis 299 DistinguishedDistinguished Club Program DCP Gap Analysis 299 Distinguished
Success Planning Tracking Presidents Distinguished Area Presidents DistinguishedSuccess Planning Tracking Presidents Distinguished Area Presidents Distinguished
Network Security Footprint Scan Footprinting Scan Content uNetwork Security Footprint Scan Footprinting Scan Content u
C Code Generator Code Generator Code DOM CodeC Code Generator Code Generator Code DOM Code
C Code Generator Code Generator Code DOM CodeC Code Generator Code Generator Code DOM Code
Source Code Versioning Source code repository tracks allSource Code Versioning Source code repository tracks all
Statistical Source Letter Source Map Source Statistical SourceStatistical Source Letter Source Map Source Statistical Source
Source 1 Source 2 Source 3 Source 4Source 1 Source 2 Source 3 Source 4
Source 1 Source 2 1 Source 3 SourceSource 1 Source 2 1 Source 3 Source
B Source 1 Source 2 Source 4 SourceB Source 1 Source 2 Source 4 Source
Reliability of Wireless Sensors with Code Attestation forReliability of Wireless Sensors with Code Attestation for
Reliability of Wireless sensors with code attestation forReliability of Wireless sensors with code attestation for
RadiologyTo Scan or not to Scan Dr SueRadiologyTo Scan or not to Scan Dr Sue
Scan to Cloud Paper Cut Scan to CloudScan to Cloud Paper Cut Scan to Cloud
The AGHPS Environmental Scan 2018 ENVIRONMENTAL SCAN PROJECTThe AGHPS Environmental Scan 2018 ENVIRONMENTAL SCAN PROJECT
BOUNDARY SCAN Diseo ASIC BOUNDARY SCAN IEEE 1149BOUNDARY SCAN Diseo ASIC BOUNDARY SCAN IEEE 1149
ScanThroughTAP Combining Scan Chain and Boundary Scan FeaturesScanThroughTAP Combining Scan Chain and Boundary Scan Features
Scan Conversion Scan Conversion Also known as rasterizationScan Conversion Scan Conversion Also known as rasterization