| 引用本文: |
-
李彦,姜楠,周启航,杜海超,黄庆佳,宋振宇,贾晓启.软件供应链威胁研究综述[J].信息安全学报,已采用 [点击复制]
- liyan,jiangnan,zhouqihang,duhaichao,huangqingjia,songzhenyu,jiaxiaoqi.A Survey of Software Supply Chain Threats[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着软件产业向组件化、服务化与云原生化深度演进,软件供应链已超越单纯的代码依赖,演变为包含算法标准、开发工具、构建环境及分发网络的复杂生态系统。这种高度相互依赖的协作模式在提升交付效率的同时,也创造了跨越组织边界的信任传递链条,为恶意行为体提供了通过上游渗透下游的非对称打击通道。本文旨在全面综述软件供应链安全领域的威胁态势、理论框架与前沿研究进展。
本文明确了软件供应链威胁的定义,提出了一种基于软件开发全生命周期的严格威胁分类范式,细致刻画了需求与设计、编程、构建与集成、交付与分发等环节的特有攻击向量。针对现有研究,本文系统梳理了基于软件供应链的生态脆弱性测量、威胁检测技术以及主动防御体系。最后,本文总结了当前研究在跨生态通用性、恶意代码数据集质量及隐蔽性攻击检测等方面的局限,并展望了未来的研究方向。 |
| 关键词: 软件供应链安全 威胁分类学 软件开发生命周期 威胁检测 |
| DOI: |
| 投稿时间:2026-03-03修订日期:2026-05-24 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| A Survey of Software Supply Chain Threats |
|
liyan, jiangnan, zhouqihang, duhaichao, huangqingjia, songzhenyu, jiaxiaoqi
|
| (Institute of Information Engineering, Chinese Academy of Sciences, Beijing) |
| Abstract: |
| With the deep evolution of the software industry toward componentization, service-orientation, and cloud-native archi-tectures, the software supply chain has transcended mere code dependencies to become a complex ecosystem encom-passing algorithmic standards, development tools, build environments, and distribution networks. While this highly inter-dependent collaboration model enhances delivery efficiency, it also creates a chain of trust propagation across organiza-tional boundaries, providing malicious actors with an asymmetric attack channel to penetrate downstream targets via upstream compromises.
This paper aims to comprehensively survey the threat landscape, theoretical frameworks, and frontier research progress in the field of software supply chain security. We clarify the definition of software supply chain threats and propose a rigor-ous threat taxonomy based on the full software development lifecycle (SDLC). This taxonomy meticulously characterizes unique attack vectors across critical stages, including requirements and design, coding, build and integration, and delivery and distribution. Regarding existing literature, this paper systematically reviews ecosystem vulnerability measurements, threat detection techniques, and proactive defense systems within the software supply chain context. Finally, we summa-rize the limitations of current research concerning cross-ecosystem generality, quality of malicious code datasets, and stealthy attack detection, and provide an outlook on future research directions. |
| Key words: software supply chain security threat taxonomy software development life cycle threat detection |
