Google proposes new framework to prevent software supply chain attacks

In view of the rising supply chain integrity attacks, Google has proposed a new solution called "Supply chain Levels for Software Artifacts" or SLSA to mitigate threats across the software supply chain.

Google defines SLSA as an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. The solution is inspired by Binary Authorization for Borg (BAB), an internal deploy-time enforcement check that minimizes insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized. BAB has been in use for the past 8+ years and is mandatory for all of Google's production workloads.

"SLSA is designed to be incremental and actionable and to provide security benefits at every step. Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to the source - something that is difficult, if not impossible, to do with most software today," Google wrote in a blog post.

SLSA has four levels:

• SLSA 1 - offers a basic level of code source identification and may aid in vulnerability management. It does not protect against tampering or forging
• SLSA 2 - at this level, the provenance prevents tampering to the extent that the build service is trusted
• SLSA 3 - provides much stronger protections against tampering than earlier levels by preventing specific classes of threats such as cross-build contamination.
• SLSA 4 - currently the highest level, it gives the consumer a high degree of confidence that the software has not been tampered with

A proof of concept for the SLSA 1 provenance generator has already been released.

Google says it may be difficult to achieve the highest level of SLSA for most projects, but incremental improvements recognized by lower SLSA levels will already go a long way toward improving the security of the open-source ecosystem.