1 option
Advancing Automotive Software Supply Chain Security: A Blockchain-Reproducible Build Approach Holcombe Department of Electrical and Computer Engineering,
- Format:
- Book
- Conference/Event
- Author/Creator:
- Aideyan, Iwinosa, author.
- Conference Name:
- 2025 NDIA Michigan Chapter Ground Vehicle Systems Engineering and Technology Symposium (2025-08-12 : Novi, Michigan, United States)
- Language:
- English
- Physical Description:
- 1 online resource cm
- Place of Publication:
- Warrendale, PA SAE International 2025
- Summary:
- The automotive industry's systems and over-the-air (OTA) updates have vulnerabilities in its software supply chain (SSC). Although frameworks like Uptane have improved OTA security, gaps remain in ensuring software integrity and provenance. In this paper, we examine challenges securing the automotive SSC and introduce a framework, GUIXCHAIN, that integrates version control, reproducible builds, blockchain technology, and software bills of materials (SBoMs) for transparency, auditability, and resilience. Reproducible builds guarantee identical resulting binaries when compiling the same source code in different environments, as any deviation in the final output indicates a potential compromise in the build process, such as malware injection. Our preliminary study shows Guixchain's use of reproducible builds ensures consistent and integrity-secured software across various build environments. The blockchain provides forensic capabilities, offering a history of the what, who and where of discrepancies within the SSC process. SBoMs provide an inventory of the software components used. Our preliminary study demonstrates that Guixchain effectively mitigates risks such as ransomware, unauthorized modifications, and build server compromises, reinforcing the system's integrity and resilience throughout the software life cycle. Future work will focus on the full implementation of Guixchain and a comprehensive evaluation of its performance in real-world automotive software supply chain scenarios
- Notes:
- Vendor supplied data
- Publisher Number:
- 2025-01-0456
- Access Restriction:
- Restricted for use by site license
The Penn Libraries is committed to describing library materials using current, accurate, and responsible language. If you discover outdated or inaccurate language, please fill out this feedback form to report it and suggest alternative language.