University of Minnesota
Security and Privacy in Computing

Readings on: software supply chains

Optional background reading: Ken Thompson. “Reflections on trusting trust”. Turing Award lecture, published in Communications of the ACM, Volume 27, Issue 8, pp. 761&ndsash;763.

Optional background reading: David A. Wheeler. “Countering Trusting Trust through Diverse Double-Compiling.” In Annual Computer Security Applications Conference (ACSAC), December 2005.
[Author's copy] [Author's page]

Main reading for Tuesday, April 16th: Stephen Checkoway, Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, and Hovav Shacham. “A Systematic Analysis of the Juniper Dual EC Incident.” In ACM CCS, August 2016.

Candidate main reading: Zhilei Ren, He Jiang, Jifeng Xuan, and Zijiang Yang. “Automated localization for unreproducible builds”. In International Conference on Software Engineering (ICSE), May 2018.

Candidate main reading: Nathanaëlle Courant, Julien Lepiller, and Gabriel Scherer. “Debootstrapping without Archeology: Stacked Implementations in Camlboot”. In The Art, Science, and Engineering of Programming, Vol. 6, Issue 3, Article 13, 2022.

Candidate main reading: Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. “SoK: Taxonomy of Attacks on Open-Source Software Supply Chains”. In IEEE Security and Privacy (“Oakland”), May 2023.
[IEEE Xplore]

Candidate main reading: Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar. “It's like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security”. In IEEE Security and Privacy (“Oakland”), May 2023.
[IEEE Xplore]

FAQ/link-tree on the xz/ssh backdoor: Sam James. “FAQ on the xz-utils backdoor (CVE-2024-3094)”.
[GitHub Gist]