摘要: |
随着信息技术的快速发展,软件的模块化与产业化趋势愈加显著,导致软件构建的复杂性持续攀升,从而暴露出更多的攻击面,引发了多起软件供应链攻击事件。软件供应链安全不仅具有攻击门槛低、攻击方式多样、攻击隐蔽性强等特点,而且能够影响软件供应链下游安全,显著扩大了攻击范围,成为业界广泛关注的焦点。首先,本文介绍了软件供应链安全的背景,以大模型及软件供应链安全的相关概念为出发点,描述了软件供应链安全防护的发展历程。接着,本文着重探讨了大模型在软件开发环节供应链安全防护中的应用研究,通过系统梳理和分析现有研究成果,分别从顶级源、依赖项、软件包构件及其构建过程四个维度,介绍了大模型赋能软件供应链安全防护技术的研究现状。在此基础上,本文通过对比传统软件供应链安全防护的技术与方法,重点分析了大模型赋能软件供应链开发环节安全方面的优势和机遇。最后,结合对当前研究现状的调研分析,本文总结了大模型在软件供应链安全防护技术中面临的数据集构建、模型训练微调、模型稳定性以及引入新的供应链安全等问题,并据此提出了未来可能的研究方向,以期为推动该领域的持续发展提供有益的参考和启示。 |
关键词: 大模型 软件供应链安全 软件开发 软件安全 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.09.11 |
投稿时间:2024-03-30修订日期:2024-05-21 |
基金项目:本课题得到中国科学院青年创新促进会;中国科学院网络测评技术重点实验室;网络安全防护技术北京市重点实验室项目资助;国家电网有限公司科技项目资助(No.5700-202352606A-3-2-ZN)。 |
|
A Review of Security Research in the Development Stage of Software Supply Chain Enhanced by Large Models |
LIU Jingqiang,TIAN Xing,SHU Yuqi,ZHU Xiaoxi,LIU Yuling,LIU Qixu |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100085, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
Abstract: |
With the rapid development of information technology, the modularization and industrialization trends of software have become increasingly prominent, leading to a continuous increase in the complexity of software construction process, thereby exposing more attack surfaces and triggering multiple software supply chain attack events. The security of software supply chain not only features low thresholds of attacks, diverse attack methods, and strong concealment of attacks, but also can affect the security of the downstream of the software supply chain, significantly expanding the scope of attacks, thus becoming a focus of widespread concern in the industry. Consequently, the issue of software supply chain security has become a focal point of attention in the industry. Firstly, this paper introduces the background of software supply chain security, taking the related concepts of large models and software supply chain security as the starting point, and describes the development process of software supply chain security protection. Then, this paper focuses on the application research of large models in the security protection of the software development supply chain. Through systematically reviewing and analyzing existing research results, it introduces the current research status of large models enabling software supply chain security protection technology from four dimensions: top-level sources, dependencies, software package artifacts, and their construction process. On this basis, this article focuses on analyzing the advantages and opportunities of leveraging large models to enhance the security of software supply chain development processes, by comparing it with the techniques and methods of traditional software supply chain security protection. Finally, based on the investigation and analysis of the current research status, this paper summarizes the challenges faced by large models in software supply chain security protection technologies, including dataset construction, model training and fine-tuning, model stability, and the introduction of new supply chain security issues, and proposes possible future research directions accordingly, aiming to provide useful references and inspirations for promoting the continuous development in this field. |
Key words: large language model software supply chain security software development software security |