George Neville-Neil, Queue's Kode Vicious, interviews Robert to learn about an exciting computer science research project at Cambridge.
Russ Cox - Fifty Years of Open Source Software Supply Chain Security
The xz attack seems to be the first major attack on the open source software supply chain. The event-stream attack was similar but not major, and Heartbleed and Log4j were vulnerabilities, not attacks. But the xz attack was discovered essentially by accident because it made sshd just a bit too slow at startup. Attacks, by their nature, try to remain hidden. What are the chances we would accidentally discover the very first major attack on the open source software supply chain in just a few weeks? Perhaps we were extremely lucky, or perhaps we have missed others.
Josie Anugerah, Eve Martin-Jones - The Surprise of Multiple Dependency Graphs
It seems like it should be easy to avoid installing vulnerable open source software, but dependency graphs are surprisingly complex. At the time of writing, the latest version of the popular npm tool webpack has millions of potential dependency graphs depending on circumstances during its resolution. The exact graph chosen for a given package can depend on what other software is being built, what kind of system is building it, and even the state of the ecosystem on a given day.
Amanda Casari, Julia Ferraioli, Juniper Lovato - Beyond the Repository
Much of the existing research about open source elects to study software repositories instead of ecosystems. An open source repository most often refers to the artifacts recorded in a version control system and occasionally includes interactions around the repository itself. An open source ecosystem refers to a collection of repositories, the community, their interactions, incentives, behavioral norms, and culture. The decentralized nature of open source makes holistic analysis of the ecosystem an arduous task, with communities and identities intersecting in organic and evolving ways. Despite these complexities, the increased scrutiny on software security and supply chains makes it of the utmost importance to take an ecosystem-based approach when performing research about open source.
Guenever Aldrich, Danny Tsang, Jason McKenney - Three-part Harmony for Program Managers Who Just Don't Get It, Yet
This article examines three tools in the system acquisitions toolbox that can work to expedite development and procurement while mitigating programmatic risk: OSS, open standards, and the Agile/Scrum software development processes are all powerful additions to the DoD acquisition program management toolbox.
Robert Watson is a security researcher and open source developer at the University of Cambridge looking at the hardware-software interface. He talks to us about spanning industry and academia, the importance of open source in software research, and challenges facing research that spans traditional boundaries in computer science. We also learn a bit about CPU security, and why applications, rather than operating systems, are increasingly the focus of security research. What are the challenges in the evolving hardware-software interface? Could open source hardware provide a platform for hardware-software research? And why is current hardware part of the problem? George Neville-Neil, Queue's Kode Vicious, interviews Robert to learn about an exciting computer science research project at Cambridge.
Comments
(newest first)
Thanks for the excellent interview with an interesting, cutting-edge researcher. My one gripe is that the questions are posed in text only within the video, ie: not read aloud. I understand that the idea is to keep the focus on Mr. Watson, but it prevents an audio-only consumption which should be possible given the fact that the video component is strictly portrait-based.
Excellent video. For too long, there has been an almost complete cultural divide between hardware designers and software engineers. I hope this interview helps to eliminate this wholly unnecessary gap, and move us towards a more organic "whole system" view of computation and security.
This is a marvelous interview. Very insightful and far-sighted. This really brings home the importance of understanding hardware, software, programming languages, system engineering, networking, security, reliability, and so many other aspects of computer research and development. It should be seen by every ACM member and others as well.