Quanpeng Chen,Xiaogang Chen,Shu Li,Jun Chen

DOI: https://doi.org/10.1007/s10479-024-06320-x

IF: 4.82

2024-01-01

Annals of Operations Research

Abstract:Small and medium enterprises (SMEs) in supply chains often struggle to obtain external financial resources from banks, due to their poor supply chain visibility. Prior studies suggest that adopting blockchain technology can enhance supply chain visibility, thus facilitating access to supply chain finance (SCF). In this study, we compare the traditional SCF mode with the blockchain-enabled SCF mode within the framework of a dual-channel closed-loop supply chain (CLSC). Our analysis incorporates both prepayment financing and accounts receivable financing or purchase order financing into the analytical model. Our main findings are as follows. Firstly, adopting blockchain technology leads to a reduction in the interest rate, enabling the manufacturer and the retailer to raise their buy-back prices. This increase in buy-back prices subsequently encourages greater recycling of used products. Secondly, in a context marked by high cross-price elasticity, we observe abrupt pricing fluctuations in both online and offline sales channels. However, adopting blockchain technology can effectively mitigates these fluctuations, thus ensuring the sustained stability of demand in both sales channels. Thirdly, in the blockchain-enabled mode, equilibrium wholesale price, offline sales price, manufacturer’s buy-back price, and retailer’s buy-back price are higher compared to those in the traditional mode. Conversely, the equilibrium direct sales price is lower in the blockchain-enabled mode than in the traditional mode. Fourthly, changes in interest rates and cross-price elasticity have analogous impacts on pricing dynamics in both the traditional and blockchain-enabled modes. Fifthly, adopting blockchain technology leads to an all-win outcome for participants in SCF arrangements only when the benefits of blockchain-enabled traceability and reduced interest rates outweigh the costs associated with hosting and access.

Boming Xia,Dawen Zhang,Yue Liu,Qinghua Lu,Zhenchang Xing,Liming Zhu

2024-01-18

Abstract:The robustness of critical infrastructure systems is contingent upon the integrity and transparency of their software supply chains. A Software Bill of Materials (SBOM) is pivotal in this regard, offering an exhaustive inventory of components and dependencies crucial to software development. However, prevalent challenges in SBOM sharing, such as data tampering risks and vendors' reluctance to fully disclose sensitive information, significantly hinder its effective implementation. These challenges pose a notable threat to the security of critical infrastructure and systems where transparency and trust are paramount, underscoring the need for a more secure and flexible mechanism for SBOM sharing. To bridge the gap, this study introduces a blockchain-empowered architecture for SBOM sharing, leveraging verifiable credentials to allow for selective disclosure. This strategy not only heightens security but also offers flexibility. Furthermore, this paper broadens the remit of SBOM to encompass AI systems, thereby coining the term AI Bill of Materials (AIBOM). The advent of AI and its application in critical infrastructure necessitates a nuanced understanding of AI software components, including their origins and interdependencies. The evaluation of our solution indicates the feasibility and flexibility of the proposed SBOM sharing mechanism, positing a solution for safeguarding (AI) software supply chains, which is essential for the resilience and reliability of modern critical infrastructure systems.

Software Engineering

Can Ozkan,Xinhai Zhou,Dave Singelee

2024-12-06

Abstract:The SolarWinds attack that exploited weaknesses in the software update mechanism highlights the critical need for organizations to have better visibility into their software dependencies and potential vulnerabilities associated with them, and the Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. The executive order mandates that an SBOM should be provided for all software purchased by federal agencies. The main applications of SBOMs are vulnerability management and license management. This work presents an in-depth and systematic investigation into the integrity of SBOMs. We explore different attack vectors that can be exploited to manipulate SBOM data, including flaws in the SBOM generation and consumption phases in the SBOM life cycle. We thoroughly investigated four SBOM consumption tools and the generation process of SBOMs for seven prominent programming languages. Our systematic investigation reveals that the tools used for consumption lack integrity control mechanisms for dependencies. Similarly, the generation process is susceptible to integrity attacks as well, by manipulating dependency version numbers in package managers and additional files, resulting in incorrect SBOM data. This could lead to incorrect views on software dependencies and vulnerabilities being overlooked during SBOM consumption. To mitigate these issues, we propose a solution incorporating the decentralized storage of hash values of software libraries.

Cryptography and Security

Tingting Bi,Boming Xia,Zhenchang Xing,Qinghua Lu,Liming Zhu

DOI: https://doi.org/10.1145/3654442

IF: 3.685

2024-03-26

ACM Transactions on Software Engineering and Methodology

Abstract:The increase of software supply chain threats has underscored the necessity for robust security mechanisms, among which the Software Bill of Materials (SBOM) stands out as a promising solution. SBOMs, by providing a machine-readable inventory of software composition details, play a crucial role in enhancing transparency and traceability within software supply chains. This empirical study delves into the practical challenges and solutions associated with the adoption of SBOMs, through an analysis of 4,786 GitHub discussions across 510 SBOM-related projects. Through repository mining and analysis, this research delineates key topics, challenges, and solutions intrinsic to the effective utilization of SBOMs. Furthermore, we shed light on commonly used tools and frameworks for SBOM generation, exploring their respective strengths and limitations. This study underscores a set of findings, for example, there are four phases of the SBOM life cycle, and each phase has a set of SBOM development activities and issues; in addition, this study emphasizes that SBOM play in ensuring resilient software development practices and the imperative of their widespread adoption and integration to bolster supply chain security. The insights of our study provide vital input for future work and practical advancements in this topic.

computer science, software engineering

Menghui Lou,Xiaolei Dong,Zhenfu Cao,Jiachen Shen

DOI: https://doi.org/10.1155/2021/8884478

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The demands for the fairness, security, and efficiency of the supply chain have grown significantly due to the rise of globalization. However, some problems of the information flow, logistics, and capital flow in the supply chain remain a challenge, such as the information asymmetry between upstream and downstream, substandard quality of goods, difficulty in traceability, and default of payment. Therefore, this paper proposes a blockchain-based supply chain framework (SESCF), which solves the supply chain problems securely and efficiently. First, the use of blockchain and smart contracts ensures the information symmetry in the supply chain system. Second, the radio frequency identification (RFID) provides a unique identity of goods, which helps in real-time quality monitoring. Additionally, the immutability and distributed storage of the blockchain play an important role in tracking the origin of goods. Third, the efficient payment channel is used to solve the problem of payment defaults. Furthermore, simulations of smart contracts along with the security analyses are presented in this paper. We also implement a blockchain-based supply chain system (SescfDapp), which is built upon a Consortium blockchain. Large-scale experiments and detailed analysis prove the feasibility and efficiency of our proposed system.

Mehdi Mirakhorli,Derek Garcia,Schuyler Dillon,Kevin Laporte,Matthew Morrison,Henry Lu,Viktoria Koscinski,Christopher Enoch

2024-02-17

Abstract:Modern software applications heavily rely on diverse third-party components, libraries, and frameworks sourced from various vendors and open source repositories, presenting a complex challenge for securing the software supply chain. To address this complexity, the adoption of a Software Bill of Materials (SBOM) has emerged as a promising solution, offering a centralized repository that inventories all third-party components and dependencies used in an application. Recent supply chain breaches, exemplified by the SolarWinds attack, underscore the urgent need to enhance software security and mitigate vulnerability risks, with SBOMs playing a pivotal role in this endeavor by revealing potential vulnerabilities, outdated components, and unsupported elements. This research paper conducts an extensive empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM. We investigate emerging use cases in software supply chain security and identify gaps in SBOM technologies. Our analysis encompasses 84 tools, providing a snapshot of the current market and highlighting areas for improvement.

Software Engineering

Xingyu Tao,Peter Kok-Yiu Wong,Yuqing Xu,Yuhan Liu,Xingbo Gong,Chengliang Zheng,Moumita Das,Jack C.P. Cheng

DOI: https://doi.org/10.1016/j.compind.2023.103922

IF: 10

2023-08-01

Computers in Industry

Abstract:Managing versions of data for building information modeling (BIM) data is critical for design collaboration, especially with multiple disciplines involved where each team has specific data requirements and design procedures. However, existing version control approaches are still inefficient for two limitations: (1) lacking an efficient data structure for managing version dependencies among multi-disciplinary BIM models and (2) risking data manipulation due to a centralized versioning architecture that may lead to reworking, losing design traceability and raising disputes. Blockchain technology is an emerging and promising solution for version management as it provides a decentralized, immutable, and traceable database paradigm. Hence, this paper proposes a blockchain-aided solution for secure and efficient BIM versioning with three major innovations. Firstly, a two-layer container common data environment (TLCCDE) model integrating blockchain and Interplanetary File System (IPFS) is developed to illustrate an overall logic for BIM versioning in a distributed environment. Secondly, a smart contract swarm (SCS) is developed to automate versioning actions in the TLCCDE. Thirdly, a novel multi-branch structure (MBS) with efficient algorithms is designed to simultaneously manage version change continuity, issue attachment, and dependency compliance. The proposed TLCCDE model is evaluated and validated in design scenarios based on a real-world project. Results show that: (1) the TLCCDE model is workable in BIM versioning; (2) TLCCDE computing performance metrics, including SCS latency and throughput, as well as MBS latency and scalability, are all validated to be practical; and (3) the TLCCDE outperforms existing versioning approaches by augmenting dependency automation and versioning cybersecurity.

computer science, interdisciplinary applications

Chen Wanfa,Zheng Qing'an,Chen Shuzhen,Fu Hongyi,Chen Liang

DOI: https://doi.org/10.23919/jcc.fa.2023-0715.202406

2024-06-21

China Communications

Abstract:In recent years, blockchain technology integration and application has gradually become an important driving force for new technological innovation and industrial transformation. While blockchain technology and applications are developing rapidly, the emerging security risks and obstacles have gradually become prominent. Attackers can still find security issues in blockchain systems and conduct attacks, causing increasing losses from network attacks every year. In response to the current demand for blockchain application security detection and assessment in all industries, and the insufficient coverage of existing detection technologies such as smart contract detectiontechnology, this paper proposes a blockchain core technology security assessment system model, and studies the relevant detection and assessment key technologies and systems. A security assessment scheme based on a smart contract and consensus mechanism detection scheme is designed. And the underlying blockchain architecture supports the traceability of detection results using super blockchains. Finally, the functionality and performance of the system were tested, and the test results show that the model and solutions proposed in this paper have good feasibility.

telecommunications

Huaijin Wang,Zhibo Liu,Yanbo Dai,Shuai Wang,Qiyi Tang,Sen Nie,Shi Wu

2024-12-02

Abstract:Software composition analysis (SCA) denotes the process of identifying open-source software components in an input software application. SCA has been extensively developed and adopted by academia and industry. However, we notice that the modern SCA techniques in industry scenarios still need to be improved due to privacy concerns. Overall, SCA requires the users to upload their applications' source code to a remote SCA server, which then inspects the applications and reports the component usage to users. This process is privacy-sensitive since the applications may contain sensitive information, such as proprietary source code, algorithms, trade secrets, and user data. Privacy concerns have prevented the SCA technology from being used in real-world scenarios. Therefore, academia and the industry demand privacy-preserving SCA solutions. For the first time, we analyze the privacy requirements of SCA and provide a landscape depicting possible technical solutions with varying privacy gains and overheads. In particular, given that de facto SCA frameworks are primarily driven by code similarity-based techniques, we explore combining several privacy-preserving protocols to encapsulate the similarity-based SCA framework. Among all viable solutions, we find that multi-party computation (MPC) offers the strongest privacy guarantee and plausible accuracy; it, however, incurs high overhead (184 times). We optimize the MPC-based SCA framework by reducing the amount of crypto protocol transactions using program analysis techniques. The evaluation results show that our proposed optimizations can reduce the MPC-based SCA overhead to only 8.5% without sacrificing SCA's privacy guarantee or accuracy.

Software Engineering,Cryptography and Security

Wenan Tan,Hai Zhu,Jinjing Tan,Yao Zhao,Li Da Xu,Kai Guo

DOI: https://doi.org/10.1080/17517575.2021.1939426

2021-06-13

Enterprise Information Systems

Abstract:<span>The number of service offerings in cloud manufacturing continues to grow, so that service level agreement (SLA) within cloud manufacturing is increasingly used to ensure the coordination of the cross-organisational business processes between the cloud service providers (CSP) and cloud service consumers (CSC). The definition of SLA and monitoring SLA's performance are significant and should be highly valued to ensure the effectiveness and efficiency of business services. At present, the third-party monitoring methods based on service credit are mainly applied in cloud manufacturing environments. There is no effective supervision mechanism to monitor the third party and no efficient punishment mechanism on SLA violation. To address aforementioned issues, this paper proposes a novel Service Level Agreement model by integrating Blockchain and Smart Contract (SLABSC), in which trust issues among CSP, CSC, and the third-party monitoring can be addressed through Blockchain technologies. The method proposed in this paper realises the full functionality of SLABSC and facilitates data security, and it can be used to supervise CSP to provide better services. Experiments results show that the performance of the proposed model is valid and efficient.</span>

computer science, information systems

Ehsan Aghamohammadzadeh,Omid Fatahi Valilai

DOI: https://doi.org/10.1080/00207543.2020.1715507

IF: 9.018

2020-01-23

International Journal of Production Research

Abstract:In the near future, manufacturing industries will be mostly recognised with characteristics like IoT, and massive data transactions. To fulfil these characteristics, paradigms like Cloud manufacturing, Industry 4.0 and smart factory have passed their preliminary steps to become the primary inspirations. Considering the nature of Cloud manufacturing which consists of a vast number of service providers and Service demanders being introduced to the manufacturing cloud, service composition problem is introduced. However, there is a big challenge for fulfilling the dynamic behaviour of parameters which change rapidly over time in the service composition problem. This paper challenges the centralised mechanism of service composition problem and introduces a novel platform entitled Blockchain-based service composition model (Block-SC) based on the Blockchain technology. Block-SC as a novel manufacturing architecture conquers the centralised mechanism by dividing the original service composition problem into multiple sub-problems each of which contains a small fraction of the service/task pool. The capabilities of the proposed platform are remarkable from two perspectives; first, it provides an effective mechanism for collaboration of service composition service providers with a service-oriented approach and from the second perspective, the optimality of service composition problem is profoundly affected considering the dynamic behaviour of Cloud manufacturing.

engineering, manufacturing, industrial,operations research & management science

Weishan Zhang,Gang Sun,Liang Xu,Qinghua Lu,Huansheng Ning,Peiying Zhang,Su Yang

DOI: https://doi.org/10.1109/jiot.2021.3121512

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Regular safety inspection is critical to reduce safety risk in industry. Applying the consortium blockchain technology to safety inspection can ensure the effectiveness of the inspection process and tracing of problems. However, there are two major issues when using conventional consortium blockchain. It is challenging to guarantee the authenticity of the retrieved data source, and meanwhile, achieving a balance between performance and security is not easy. Hence, this article proposes a blockchain-based performance-security balanced safety inspection framework (PSB-SIF), in which a safety inspection box is designed to ensure the authenticity of the inspector’s identity while inspection logic is executed automatically via smart contracts. In addition, this article also proposes a novel credit scoring-based Byzantine fault-tolerant (BFT) consensus algorithm, named safety inspection BFT consensus algorithm (SIBFT), which is used to balance the performance and security of consensus network in a safety inspection. We evaluate the proposed approach by comparing with the solutions using RAFT, Practical BFT (PBFT), and SIBFT consensus algorithms in terms of throughput, transaction latency, scalability, and security of PSB-SIF. The evaluation results show that PSB-SIF is efficient for all these quality metrics.

computer science, information systems,telecommunications,engineering, electrical & electronic

Dun Li,Dezhi Han,Noel Crespi,Roberto Minerva,Zhijie Sun

DOI: https://doi.org/10.48550/arXiv.2111.13538

2021-11-26

Cryptography and Security

Abstract:Supply chain finance(SCF) is committed to providing credit for small and medium-sized enterprises(SMEs) with low credit lines and small financing scales. The resulting financial credit data and related business transaction data are highly confidential and private. However, traditional SCF management schemes mostly use third-party platforms and centralized designs, which cannot achieve highly reliable secure storage and fine-grained access control. To fill this gap, this paper designs and implements Fabric-SCF, a secure storage and access control system based on blockchain and attribute-based access control (\textbf{ABAC}) model. This scheme uses distributed consensus to realize data security, traceability, and immutability. We also use smart contracts to define system processes and access policies to ensure the efficient operation of the system. To verify the performance of Fabric-SCF, we designed two sets of simulation experiments. The results show that Fabric-SCF achieves dynamic and fine-grained access control while maintaining high throughput in a simulated real-world operating scenario.

Seth Carmody,Andrea Coravos,Ginny Fahs,Audra Hatch,Janine Medina,Beau Woods,Joshua Corman

DOI: https://doi.org/10.1038/s41746-021-00403-w

IF: 15.2

2021-02-23

npj Digital Medicine

Abstract:Abstract An exploited vulnerability in a single software component of healthcare technology can affect patient care. The risk of including third-party software components in healthcare technologies can be managed, in part, by leveraging a software bill of materials (SBOM). Analogous to an ingredients list on food packaging, an SBOM is a list of all included software components. SBOMs provide a transparency mechanism for securing software product supply chains by enabling faster identification and remediation of vulnerabilities, towards the goal of reducing the feasibility of attacks. SBOMs have the potential to benefit all supply chain stakeholders of medical technologies without significantly increasing software production costs. Increasing transparency unlocks and enables trustworthy, resilient, and safer healthcare technologies for all.

health care sciences & services,medical informatics

Puwei Wang,Xiaohe Liu,Jinchuan Chen,Ying Zhan,Zhi Jin

DOI: https://doi.org/10.1145/3183440.3194978

2018-01-01

Abstract:Smart contracts that run on blockchains can ensure the transactions are automatically, reliably performed as agreed upon between the participants without a trusted third party. In this work, we propose a smart-contract based algorithm for constructing service-based systems through the composition of existing services.

Rafael Brundo Uriarte,Huan Zhou,Kyriakos Kritikos,Zeshun Shi,Zhiming Zhao,Rocco De Nicola

DOI: https://doi.org/10.1002/cpe.5800

2020-01-01

Abstract:SummaryThe current cloud market is dominated by a few providers, which offer cloud services in a take‐it‐or‐leave‐it manner. However, the dynamism and uncertainty of cloud environments may require the change over time of both application requirements and service capabilities. The current service‐level agreement (SLA) management solutions cannot easily guarantee a trustworthy, distributed SLA adaptation due to the centralized authority of the cloud provider who could also misbehave to pursue individual goals. To address the above issues, we propose a novel SLA management framework, which facilitates the specification and enforcement of dynamic SLAs that enable one to describe how, and under which conditions, the offered service level can change over time. The proposed framework relies on a two‐level blockchain architecture. At the first level, the smart SLA is transformed into a smart contract that dynamically guides service provisioning. At the second level, a permissioned blockchain is built through a federation of monitoring entities to generate objective measurements for the smart SLA/contract assessment. The scalability of this permissioned blockchain is also thoroughly evaluated. The proposed framework enables creating open distributed clouds, which offer manageable and dynamic services, and facilitates cost reduction for cloud consumers, while it increases flexibility in resource management and trust in the offered cloud services.

Caibo Zhou,Wenyan Song,Lingdi Liu,Zixuan Niu

DOI: https://doi.org/10.1109/case48305.2020.9216809

2020-01-01

Abstract:Smart product-service system (SPSS) is a new business model that integrates smart products and e-services to satisfy customer needs better and improve enterprise competitiveness. In case to reasonably and efficiently manage the products, services, information, and data generated throughout the SPSS lifecycle, it is necessary to conquer the problem of data insecurity and the low-trust between stakeholders. Blockchain can provide solutions because of its characteristics such as decentralized, irreversibility of records and smart contracts, etc. To solve the problem, this paper develops a conceptual framework for smart PSS lifecycle management which consists of four layers: perception layer, business resource layer, blockchain layer, and application layer. Furthermore, this paper introduces the typical improved services at each stage and an illustrative case of smart coffee machine service system. Finally, the paper puts forward the future work combined with limitations. This framework will help stakeholders achieve more secure and efficient SPSS lifecycle management and further enhance enterprise competitiveness.

Jiahao Sun,Chengrong Wu,Jiawei Ye

DOI: https://doi.org/10.1109/smartcloud49737.2020.00010

2020-01-01

Abstract:Compared to the virtual machine, containers that share the host's operating system kernel is a more lightweight virtualization technology. The container technology makes it easier and faster to deploy and update applications and the container orchestration technology provide people with a powerful tools to manage containers which make the clouds based on containers become popular. But at the same time, the container technology also introduces many security challenges. Among them, the vulnerabilities and malware in container images, as well as some wrong settings that violate security compliance rules, have become main potential security threats. In addition, tampered malicious images are likely to become entry points for the attacks to the cloud platform infrastructure and other containers. In this paper, we proposes a container cloud security enhancement system, based on blockchain technology. On the one hand, this system combines multi-apsects security checks to prevent the upload of images that contain security threats to the cloud environment. on the other hand, Using blockchain technology to verify the integrity of the image and record the information about security to prevent the generation of malicious containers based on tampered images. In addition, the security of the container cloud environment is further improved by scanning the images in the image repositories periodically, patching the images and upgrading the running containers in the cloud.

Moumita Das,Xingyu Tao,Yuhan Liu,Jack C.P. Cheng

DOI: https://doi.org/10.1016/j.autcon.2021.104001

IF: 10.3

2022-01-01

Automation in Construction

Abstract:Document management systems in AEC projects manage important project documents such as schedules, RFIs, and change orders. Hence, security concerns in document management systems especially involving data integrity of documents and records may have a severe effect on a project in terms of money and the reputations of project participants. Therefore, in this research blockchain technology is leveraged to facilitate data integrity in document management for construction applications through - (1) irreversible and irrevocable approval workflow logic via smart contract technology, (2) irreversible recording of document changes via blockchain ledger technology, and (3) document version history integrity via a blockchain-based data structure. A prototype of the proposed smart contract framework was developed using Hyperledger fabric and evaluated. The scalability of the proposed framework to support document version integrity was also evaluated and discussed. A formulation based on existing literature is developed to evaluate the cost viability of the proposed framework.