{"id":67206,"date":"2017-03-22T09:00:10","date_gmt":"2017-03-22T16:00:10","guid":{"rendered":"http:\/\/blogs.microsoft.com\/microsoftsecure\/?p=67206"},"modified":"2023-05-15T22:57:49","modified_gmt":"2023-05-16T05:57:49","slug":"a-new-best-practice-to-protect-technology-supply-chain-integrity","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/03\/22\/a-new-best-practice-to-protect-technology-supply-chain-integrity\/","title":{"rendered":"A new best practice to protect technology supply chain integrity"},"content":{"rendered":"

This post is authored by Mark Estberg, Senior Director, Trustworthy Computing.\u00a0<\/em><\/p>\n

The success of digital transformation ultimately relies on trust in the security and integrity of information and communications technology (ICT). As ICT systems become more critical to economic prosperity, governments and organizations around the world are increasingly concerned about threats to the technology supply chain. These concerns stem from fear that an adversary might tamper with or manipulate products during development, manufacture, or delivery. This poses a challenge to the technology industry: If our products are to be fully trusted, we must be able to provide assurance to our customers that the technology they reviewed and approved before deployment is the same software that is running on their computers.<\/p>\n

To increase confidence, organizations have increasingly turned to source code analysis through direct inspection of the supply chain by a human expert or an automated tool. Source code is a set of computer instructions written in a programming language that humans can read. This code is converted (or compiled) into a binary file of instructions\u2014a language of zeroes and ones that machines can process and execute, or executable. This conversion of human-readable code to machine-readable code, however, raises the unsettling question of whether the machine code\u2014and ultimately the software program running on computers\u2014was built from the same source code files that the expert or tool analyzed. There has been no efficient and reliable method to answer this, even for open source software. Until now.<\/p>\n

At Microsoft, we have developed a way to definitively demonstrate that a compiled machine-readable executable was generated from the same human-readable source code that was reviewed.<\/strong> It\u2019s based on the concept of a \u201cbirth certificate\u201d for binary files, which consists of unique numbers (or hash values) that are cryptographically strong enough to identify individual source code files.<\/p>\n

As source code is compiled in Visual Studio, the compiler assigns the source code a hash value generated in such a way that it is virtually impossible that any other code will produce the same hash value. By matching hash values from the compiler to those generated from the examined source code files, we can verify that the executable code did indeed result from the original source code files.<\/p>\n

This method is described in more detail in Hashing Source Code Files with Visual Studio to Assure File Integrity<\/a>. The paper gives a full description of the new Visual Studio switch for choosing a hashing algorithm, suggested scenarios where such hashes might prove useful, and how to use Visual Studio to generate these source code hashes.<\/p>\n

Microsoft believes that the technology industry must do more to assure its stakeholders of the integrity of software and the digital supply chain. Our work on hashing is both a way to help our customers and a way to further how the industry is addressing this growing problem:<\/p>\n