SOSS Community Day Japan 2024

Linux distributions provide users with great convenience by centralized access to multiple independent OSS into a single location. This has been an essential function that OSS can be popularized and rule the world. The nature of distributions that provide convenience to users by consolidating multiple means of access can be expected to play an important role in OSS supply chain security enhancement. For example, SBOM, provenance, and vulnerability information can be provided with trust. Currently, however, it is difficult to provide a unified means of providing these in a convenient manner while guaranteeing their authenticity and integrity. In this session, the speaker will share the current issues as a developer of multiple Linux distributions and will propose the role that distributions and distributors should play in the enhancement of supply chain security. Then he will propose necessary mechanisms to achieve it and discuss them with the attendees.

Fujitsu supports SPDX evolution and the movement to an international standard that provides a common SBOM basis for software exploitation for companies throughout the supply chain. We have long provided multilateral support for SPDX, especially thorough activities in Yocto and SPDX-Lite. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. Also, we are the top contributors of patch submissions to the Yocto Project. In recent years, increasing interest in cybersecurity has led to the need to quickly determine whether a product is vulnerable or not. In the supply chain, vulnerability information can be handled in combination with SBOM and VEX. An SBOM should be generated for each build, and a VEX should be generated for each vulnerability detection. It is necessary to manage them separately because their life cycles are different. In addition, there is a problem in the accuracy of the vulnerability, and there are some measures to solve it. In this presentation, we describe the advantages and challenges of creating VEX in Yocto as a use case.

This session will delve into the practical experience of discovering and reporting Linux kernel vulnerabilities using the powerful kernel fuzzer, e.g. syzkaller. We will walk through the step-by-step process of conducting fuzzing tests, identifying potential vulnerabilities, and ultimately submitting them to the Linux kernel Security community. Beyond the technical aspects of vulnerability discovery, we'll also discuss the broader implications of this work on the open source ecosystem. By sharing insights into the benefits of using kernel fuzzers, we aim to encourage more developers to contribute to the security of Linux and other open source projects. Topics will include: Introduction to syzkaller and Real-world case studies: Practical examples of vulnerabilities discovered using syzkaller The vulnerability reporting process: practices for submitting vulnerabilities to the Linux kernel Security community with PoC