Tamper-resistant binary software package provenance system
By using a tamper-proof binary software package traceability system, the problems of data tampering and information opacity in the software supply chain are solved, enabling fine-grained tracking of software components and rapid vulnerability response, thereby enhancing the trust and security of the supply chain.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NAT UNIV OF DEFENSE TECH
- Filing Date
- 2026-02-28
- Publication Date
- 2026-06-05
AI Technical Summary
Existing software supply chain security solutions are inadequate in protecting data integrity, making them vulnerable to tampering. Furthermore, software vendors are unwilling to fully disclose sensitive information in their SBOMs, hindering the effective implementation of trust building and vulnerability detection.
A tamper-proof binary software package traceability system is adopted, including a data acquisition module, a blockchain storage module, a user interface module, an SBOM enhancement module, and a verification module. By collecting traceability information, storing it on the blockchain, and verifying the integrity of the software package, a vulnerability impact graph is constructed to trace the vulnerability propagation path.
It enables fine-grained tracking of software components and their dependencies, quickly identifies affected software packages, and provides precise remediation guidance, thereby enhancing the trust and security of the software supply chain.
Smart Images

Figure CN122153853A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of software package traceability technology, and more specifically to a tamper-proof binary software package traceability system. Background Technology
[0002] In today's digital age, software has become a core component of modern social infrastructure. However, the software development process is becoming increasingly complex, with extensive use of third-party components, open-source libraries, and pre-compiled binary packages, forming a vast and interdependent software supply chain. This complexity makes the software supply chain highly vulnerable to attacks.
[0003] To address software supply chain security challenges, Software Bill of Materials (SBOM) has been widely proposed and adopted. An SBOM provides a detailed list of all components, libraries, and dependencies included in a software product, aiming to improve transparency in the software supply chain and help users identify and manage potential security vulnerabilities. However, existing SBOM solutions still have some limitations. First, traditional SBOMs are insufficient in protecting data integrity and are vulnerable to data tampering. For example, attackers may tamper with SBOM files to include incorrect or false information, thereby hiding malicious components or vulnerabilities. Second, software vendors may be unwilling to fully disclose sensitive information in their SBOMs due to business competition or intellectual property protection considerations, which hinders the effective implementation of SBOMs and the establishment of trust. Although existing research has begun to explore using reproducible builds and SBOMs to detect injections or modifications in the software supply chain, there is still room for improvement in the integration of these methods in detecting malicious updates and tracing vulnerability propagation paths. Summary of the Invention
[0004] This application aims to provide a tamper-proof binary software package traceability system to improve the overall trust in the software supply chain.
[0005] Firstly, a tamper-proof binary software package traceability system is provided, the system comprising: The data acquisition module is used to collect traceability information of binary software packages, including SBOM metadata, binary file hash value, digital signature, build environment details, and supply chain event logs. A blockchain storage module is used to store the traceability information of the binary software package; The user interface module provides an application programming interface and a graphical user interface, allowing authorized users to query the traceability information of binary software packages through binary software package information, wherein the binary software package information includes: binary software package name, binary software package version number, and binary software package architecture; The SBOM enhancement module is used to extend the traditional SBOM of the binary software package to obtain an enhanced SBOM based on the traceability information; The verification module is used to verify the integrity of the updated binary software package when the binary software package is received, based on the hash value of the updated binary software package and the hash value stored in the blockchain storage module. The vulnerability tracking module is used to construct a vulnerability impact graph based on the component dependencies and vulnerability information stored in the blockchain storage module, in order to identify downstream software packages affected by known vulnerabilities and track their propagation paths.
[0006] Optionally, the blockchain storage module adopts a permissioned blockchain architecture.
[0007] Optionally, the verification module is further configured to: If the hash value of the updated binary software package does not match the hash value stored in the blockchain storage module, an alarm is triggered and the abnormal event is stored in the blockchain storage module.
[0008] Optionally, the vulnerability tracking module communicates with an external vulnerability database, and the vulnerability tracking module is further configured to: Obtain newly added vulnerability data from the external vulnerability database; If the newly added vulnerability data matches the component information of the enhanced SBOM, the component vulnerability status is updated according to the newly added vulnerability data. The vulnerability status includes: newly added vulnerability, vulnerability patch, and vulnerability level change.
[0009] Optionally, the build environment details include the operating system version, compiler type and version, exact version and hash value of dependent libraries, and hash value of the build script.
[0010] Optionally, the blockchain storage module manages the writing, updating, and querying permissions of the traceability information through smart contracts.
[0011] Optionally, the verification module is further configured to: Based on the aforementioned build environment information, construct a replica environment identical to the original build; In the replicating environment, a new binary file is generated according to the construction steps recorded in the SBOM; If the hash value of the newly generated binary file matches the original hash value stored in the SBOM, the binary software package is deemed complete.
[0012] Optionally, the SBOM enhancement module is further configured to: The enhanced SBOM is then structurally processed.
[0013] Based on the aforementioned tamper-proof binary software package traceability system, the data acquisition module collects traceability information of binary software packages, including SBOM metadata, binary file hash values, digital signatures, build environment details, and supply chain event logs; the blockchain storage module stores the traceability information of binary software packages; the user interface module provides an application programming interface and a graphical user interface, allowing authorized users to query the traceability information of binary software packages through binary software package information, including: binary software package name, binary software package version number, and binary software package architecture; the SBOM enhancement module extends the traditional SBOM of the binary software package based on the traceability information and structures the extended SBOM to obtain the enhanced SBOM; when receiving a binary software package update, the verification module verifies the integrity of the updated software package based on the hash value of the updated binary software package and the hash value stored in the blockchain storage module; the vulnerability tracking module constructs a vulnerability impact graph based on the component dependencies and vulnerability information stored in the blockchain storage module to identify downstream software packages affected by known vulnerabilities and trace their propagation paths. In this way, by building a tamper-proof binary software package traceability system, fine-grained tracking of software components and their dependencies is achieved, enabling the rapid identification of affected software packages after a vulnerability is discovered and providing accurate remediation guidance, significantly shortening response time and enhancing the trustworthiness of the software supply chain. Attached Figure Description
[0014] Figure 1 This is a schematic diagram of the structure of a tamper-proof binary software package traceability system provided in an embodiment of this application; Figure 2 This is a flowchart illustrating a tamper-proof binary software package tracing method provided in a specific embodiment of this application. Detailed Implementation
[0015] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.
[0016] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class and the number of objects is not limited; for example, a first object can be one or more. Furthermore, in the specification and claims, "and / or" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects are in an "or" relationship.
[0017] The following description, in conjunction with the accompanying drawings, details a tamper-proof binary software package traceability system provided in this application through specific embodiments and application scenarios.
[0018] Please see Figure 1 This is a schematic diagram of the structure of a tamper-proof binary software package traceability system provided in an embodiment of this application. Figure 1 As shown, the tamper-proof binary software package traceability system includes: The data acquisition module is used to collect traceability information of binary software packages, including SBOM metadata, binary file hash value, digital signature, build environment details, and supply chain event logs.
[0019] In this embodiment, the data acquisition module is responsible for continuously collecting the source information of the binary software package throughout its entire lifecycle. This source information includes: SBOM metadata, binary file hash values, digital signatures, build environment details, and supply chain event logs. Specifically, data acquisition can be integrated through automated toolchain CI process hooks. SBOM metadata can be understood as basic attributes such as the package name, version, license information, and author information. Binary file hash values can be understood as calculating a cryptographic hash value for each binary file, serving as its unique digital fingerprint for subsequent integrity verification. Digital signatures can be understood as the digital signature of the submitted data by the developer, builder, or publisher to prove the data's origin and integrity. Build environment details can be understood as recording detailed environmental information used to generate the binary file, such as the operating system version, compiler type and version, the precise versions and hash values of all dependent libraries, and the hash value of the build script. Supply chain event logs can be understood as recording key events in the software package's flow through the supply chain, such as code submission, test passing, security audit, packaging, distribution upload, and deployment. Each event includes a timestamp and the digital signature of the responsible entity.
[0020] A blockchain storage module is used to store the traceability information of the binary software package.
[0021] In this embodiment of the application, the blockchain storage module is the core trust infrastructure of the tamper-proof binary software package traceability system. It adopts distributed ledger technology to store the traceability information of all software packages in an immutable manner.
[0022] The distributed ledger is used to store the enhanced SBOM and metadata submitted by the data acquisition module. Each record is considered a transaction and includes a transaction ID, submitter identity, timestamp, package hash, and a summary of the enhanced SBOM contents.
[0023] Smart contracts, deployed on a blockchain, automate and enforce rules for writing, updating, and querying data. A smart contract defines that only authorized entities (such as verified developers, official build systems, or accredited distributors) can submit specific types of data. All critical data submissions must undergo multi-party digital signature verification, further enhancing data credibility. Specifically, permissioned blockchain architectures can employ Hyperledger Fabric or Ethereum Enterprise permissioned blockchain architectures, allowing for identity management and access control of participants. This ensures that only authorized nodes can participate in transaction verification and ledger maintenance, thereby improving transaction processing efficiency, protecting privacy, and meeting regulatory requirements.
[0024] The user interface module provides an application programming interface and a graphical user interface, allowing authorized users to query the traceability information of binary software packages through binary software package information, wherein the binary software package information includes: binary software package name, binary software package version number, and binary software package architecture.
[0025] In this embodiment, the user interface module can provide an application programming interface and a graphical user interface, allowing authorized users to query complete traceability information for any software package or component. Users can query using keywords such as package name, version number, and architecture. A unique identifier is generated for each software package or version, allowing users to conveniently and quickly obtain a complete traceability report from the blockchain, including enhanced SBOM information, proof of origin, build details, security status, and update history.
[0026] The SBOM enhancement module is used to extend the conventional SBOM of the binary software package to obtain an enhanced SBOM based on the traceability information.
[0027] In this embodiment, the SBOM enhancement module extends the traditional SBOM specification to include richer metadata to support fine-grained traceability and integrity protection, resulting in an enhanced SBOM. In addition to standard component, version, and license information, the enhanced SBOM also includes: binary file hashes, build environment details, proof of origin, and supply chain event logs. Specifically, the binary file hash can be understood as the cryptographic hash of each binary file constituting the software package. Build environment details can be understood as the build environment metadata described by the data acquisition module. Proof of origin can be understood as a URL pointing to the source code repository, a specific commit ID, and the developer's digital signature, used to establish a trusted association between the code and the binary file. The supply chain event log can be understood as recording lifecycle events associated with this specific SBOM.
[0028] The enhanced SBOM can be extended based on standards such as the Software Package Data Exchange (SPDX) or CycloneDX, and will be structured in JSON format for easy storage and retrieval on the blockchain.
[0029] The verification module is used to verify the integrity of the updated binary software package when the update is received, based on the hash value of the updated binary software package and the hash value stored in the blockchain storage module.
[0030] In this embodiment, the verification module is used for update integrity verification. When a user or system receives a software package update, the verification module automatically calculates the hash value of the binary file in the new software package and compares it with the expected hash value retrieved from the blockchain storage module. If the hash values do not match, an alarm is immediately triggered, indicating that the software package may have been maliciously tampered with or modified without authorization. This abnormal event is also recorded on the blockchain.
[0031] In this embodiment, the verification module is also used for repeatable build verification. Utilizing detailed build environment information (such as compiler version, dependent libraries, build scripts, etc.) recorded in the enhanced SBOM, users or independent third-party verification agencies can attempt to reproduce the software package build process in a controlled environment. Then, the binary file hash of the reproduced result is compared with the original build hash declared on the blockchain. If the two are inconsistent, it indicates that the original build process may have been tampered with or that there are uncertainties, which will also trigger an alarm and record the abnormal event.
[0032] The vulnerability tracking module is used to construct a vulnerability impact graph based on the component dependencies and vulnerability information stored in the blockchain storage module, in order to identify downstream software packages affected by known vulnerabilities and track their propagation paths.
[0033] In this embodiment, the vulnerability tracking module utilizes software package component dependencies and vulnerability information stored on the blockchain to construct a dynamic vulnerability impact graph. The vulnerability tracking module has component dependency analysis capabilities, external vulnerability database integration capabilities, and vulnerability impact identification and tracking capabilities.
[0034] The component dependency analysis feature constructs a complete dependency tree for the software package by analyzing the component dependencies recorded in the enhanced SBOM.
[0035] The external vulnerability database integration function integrates with the NVD vulnerability database to automatically acquire the latest known security vulnerabilities (CVEs). When new vulnerability information is released, this module checks whether all relevant components on the blockchain are affected and automatically updates the vulnerability status of these components. Vulnerability status includes: newly added vulnerabilities, vulnerability fixes, and changes in vulnerability severity.
[0036] Vulnerability impact identification and tracking: Once a vulnerability is discovered in a fundamental component, this module can quickly identify all directly or indirectly affected downstream software packages and trace the distribution paths of these affected packages. This enables the system to provide accurate vulnerability alerts and patch distribution guidance to affected users and organizations, significantly reducing vulnerability response time.
[0037] Through the above technical solution, the data acquisition module collects the source information of binary software packages, including SBOM metadata, binary file hash values, digital signatures, build environment details, and supply chain event logs; the blockchain storage module stores the source information of binary software packages; the user interface module provides an application programming interface and a graphical user interface, allowing authorized users to query the source information of binary software packages through binary software package information, including: binary software package name, binary software package version number, and binary software package architecture; the SBOM enhancement module extends the traditional SBOM of the binary software package based on the source information and structures the extended SBOM to obtain the enhanced SBOM; when the verification module receives a binary software package update, it verifies the integrity of the updated software package based on the hash value of the updated binary software package and the hash value stored in the blockchain storage module; the vulnerability tracking module constructs a vulnerability impact graph based on the component dependencies and vulnerability information stored in the blockchain storage module to identify downstream software packages affected by known vulnerabilities and trace their propagation paths. In this way, by building a tamper-proof binary software package traceability system, fine-grained tracking of software components and their dependencies is achieved, enabling the rapid identification of affected software packages after a vulnerability is discovered and providing accurate remediation guidance, significantly shortening response time and enhancing the trustworthiness of the software supply chain.
[0038] In a specific embodiment of this application, the implementation process of the tamper-proof binary software package tracing method includes: Step 1: SBOM and metadata generation.
[0039] 1.1 When a new version of the open-source software source code package is submitted to the version control system, the automated build system is triggered before compiling the kernel binary. During the compilation process, the data acquisition module records detailed information such as the compiler version, specific patches used, all linked third-party libraries and their precise versions and hash values, the operating system environment on which the build depends (including kernel version, necessary system tools, etc.), and the hash value of the build script.
[0040] The 1.2 SBOM enhancement module generates a detailed enhanced SBOM based on the list of each component module, license information, cryptographic hash value (binary fingerprint) of the binary file, commit ID pointing to the source code repository (proof of origin), complete environment details of this build, and build event log of this package, all recorded in the data acquisition module in 1.1.
[0041] Step 2: Upload data to the blockchain.
[0042] 2.1 The generated enhanced SBOM, the cryptographic hash of the final binary file, the developer's digital signature, version number, release time, and all other metadata will be structured into a single transaction; 2.2 This transaction was submitted to a blockchain network comprised of operating system maintainers, major distribution vendors, and key security organizations.
[0043] 2.3 The smart contract will verify the validity of the submitter's digital signature and check the compliance of the data format and content; 2.4 The transaction will only be permanently recorded in the distributed ledger of the blockchain after multiple participants (e.g., distribution maintainers and third-party security auditing agencies) have verified the transaction with digital signatures, ensuring that the data is immutable and traceable.
[0044] Step 3: Differentiate based on user usage patterns, there are 2 usage patterns in total.
[0045] Step 3.1: Source information query The system generates a unique identifier for each released binary software package, which is attached to the package's download page, release notes, or included in the package manager's metadata.
[0046] The user interface module provides a web portal and command-line tools, allowing authorized users to query their complete traceability information on the blockchain by entering the kernel version number, hash value, or scanning a QR code.
[0047] Step 3.2: Update and Verify When a user downloads a new software package from the official software repository: 3.2.1 The verification module automatically calculates the hash value of the downloaded binary file and compares it with the expected hash value recorded on the blockchain for that version of the software package, as retrieved by the user. If the hash values do not match, the system immediately issues a warning, indicating that the software package may have been tampered with; 3.2.2 For highly sensitive environments, users can leverage the build environment details recorded in the enhanced SBOM to attempt to precisely reproduce the compilation and build process of the original source package in an isolated and controlled environment. If the binary hash value generated by the reproduced build is inconsistent with the original hash value recorded on the blockchain, it indicates that the original build process may have been modified unexpectedly or implanted with a backdoor by an attacker. Any detected anomalies will automatically trigger an alert, and the anomaly event and its detailed information will be recorded on the blockchain for subsequent auditing and analysis.
[0048] Step 4: Vulnerability and Malicious Update Response The system detected a high-risk security vulnerability (CVE) in a specific library or component: 4.1 The vulnerability tracking module automatically obtains detailed information about the CVE; 4.2 Based on the enhanced SBOM and component dependencies of each version of the software package stored on the blockchain, the vulnerability tracking module can quickly identify all versions affected by this vulnerability; 4.3 The system immediately issues an alert to all affected users and administrators, and provides a list of affected software packages, suggested fixes or patch information, enabling accurate and rapid vulnerability response. If the verification module detects a malicious update, such as a downloaded kernel that has been tampered with, the system will immediately block its installation and record the relevant events on the blockchain to assist in security incident response and forensic analysis.
[0049] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0050] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 The computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The functions specified in one or more boxes. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable apparatus for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0051] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0052] Memory may include non-persistent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0053] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0054] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.
[0055] The above are merely embodiments of this application and are not intended to limit the scope of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of the claims of this application.
[0056] Furthermore, various different embodiments of the present invention can be combined in any way, as long as they do not violate the spirit of the present invention, they should also be regarded as the content disclosed by the present invention.
Claims
1. A tamper-proof binary software package traceability system, characterized in that, The system includes: The data acquisition module is used to collect traceability information of binary software packages, including SBOM metadata, binary file hash value, digital signature, build environment details, and supply chain event logs. A blockchain storage module is used to store the traceability information of the binary software package; The user interface module provides an application programming interface and a graphical user interface, allowing authorized users to query the traceability information of binary software packages through binary software package information, wherein the binary software package information includes: binary software package name, binary software package version number, and binary software package architecture; The SBOM enhancement module is used to extend the traditional SBOM of the binary software package to obtain an enhanced SBOM based on the traceability information; The verification module is used to verify the integrity of the updated binary software package when the binary software package is received, based on the hash value of the updated binary software package and the hash value stored in the blockchain storage module. The vulnerability tracking module is used to construct a vulnerability impact graph based on the component dependencies and vulnerability information stored in the blockchain storage module, in order to identify downstream software packages affected by known vulnerabilities and track their propagation paths.
2. The system according to claim 1, characterized in that, The blockchain storage module adopts a permissioned blockchain architecture.
3. The system according to claim 1, characterized in that, The verification module is also configured to: If the hash value of the updated binary software package does not match the hash value stored in the blockchain storage module, an alarm is triggered and the abnormal event is stored in the blockchain storage module.
4. The system according to claim 1, characterized in that, The vulnerability tracking module communicates with an external vulnerability database, and the vulnerability tracking module is also configured to: Obtain newly added vulnerability data from the external vulnerability database; If the newly added vulnerability data matches the component information of the enhanced SBOM, the component vulnerability status is updated according to the newly added vulnerability data. The vulnerability status includes: newly added vulnerability, vulnerability patch, and vulnerability level change.
5. The system according to claim 1, characterized in that, The build environment details include the operating system version, compiler type and version, exact versions and hash values of dependent libraries, and hash values of the build script.
6. The system according to claim 1, characterized in that, The blockchain storage module manages the writing, updating, and querying permissions of the traceability information through smart contracts.
7. The system according to claim 1, characterized in that, The verification module is also configured to: Based on the aforementioned build environment information, construct a replica environment identical to the original build; In the replicating environment, a new binary file is generated according to the construction steps recorded in the SBOM; If the hash value of the newly generated binary file matches the original hash value stored in the SBOM, the binary software package is deemed complete.
8. The system according to claim 1, characterized in that, The SBOM enhancement module is also configured to: The enhanced SBOM is then structurally processed.