Quantitative Toolchain Assurance
Dennis Volpano, Drew Malzahn, Andrew Pareles, Mark Thober
TL;DR
This paper introduces a quantitative approach to assess software build process quality through assurance cases and process reduction, enhancing the SBOM concept with measurable build process insights.
Contribution
It presents a novel quantitative assurance case framework for toolchains using process reduction, enabling measurable assessment of build process quality.
Findings
Quantitative assurance cases can measure toolchain strength.
Process reduction effectively structures assurance cases.
Example demonstrates practical application of the approach.
Abstract
The software bill of materials (SBOM) concept aims to include more information about a software build such as copyrights, dependencies and security references. But SBOM lacks visibility into the process for building a package. Efforts such as Supply-chain Levels for Software Artifacts (SLSA) try to remedy this by focusing on the quality of the build process. But they lack quantitative assessment of that quality. They are purely qualitative. A new form of assurance case and new technique for structuring it, called process reduction, are presented. An assurance case for a toolchain is quantitative and when structured as a process reduction can measure the strength of the toolchain via the strength of the reduction. An example is given for a simple toolchain.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSafety Systems Engineering in Autonomy · Software Reliability and Analysis Research · Information and Cyber Security