Towards Zero-Knowledge Based Private and Verifiable Software Assurance
摘要
Software and software-defined architectures make up an increasingly large part of ICT-based critical infrastructures such as mobile networks that the society of today relies on for fundamental services. This increase, in combination with geopolitical tension, drives stronger needs for security assurance of software. The needs are reflected in regulations on transparency and software assurance, established by governmental and industrial organizations. A counteracting business need of equipment vendors is to keep their source code private. In addition, there is a need for governments, operators and their customers to obtain guarantees that assurance evaluators do not accidentally or intentionally leak vulnerabilities found during evaluation. We investigate the challenges posed by these seemingly contradicting needs. We propose a zero-knowledge proof based conceptual framework, which simultaneously partly addresses both the need for software confidentiality and the assurance of its quality. We make a preliminary analysis of the framework. We have implemented a first prototype showing that the framework can be instantiated. In this short paper, we also discuss future research directions for the community exploring the limits of the framework, qualitative properties provable, and software component complexity manageable.