Runtime Verification for Software Supply Chain Security using Confidential Computing

Software supply chain security must address the runtime problem: approaches like software bill-of-materials (SBOM), static analysis, and vulnerability management help ensure the production of trustworthy software artifacts, but they do not provide any guarantees about that software running in a remote environment. Confidential Computing, also known as hardware-based trusted execution environments (TEEs), can close this gap.

Using cryptographic remote attestation for Confidential Computing, an application can prove its connection to its own SBOMs, build provenance, or other artifacts. Malicious applications cannot forge a misleading attestation, nor replay a different application's valid attestation. Performance overhead of runtime verification is at least one network round-trip, depending on the architecture and protocol chosen.

This talk will provide a conceptual overview of Confidential Computing and its applications in supply chain security, including a reference architecture and a demonstration of runtime verification of software supply chain artifacts.