Software provenance validation

Assignee

• MICROSOFT TECHNOLOGY LICENSING, LLC · US

Inventors

• Claire Novotny · New York, US
• Jared Porter Parsons · Kirkland, US
• Jason Shaver · Redmond, US
• Jobst-Immo Landwerth · Redmond, US
• Richard Steele Gibson · Gig Harbor, US
• Tomas Matousek · Redmond, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/57
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Software provenance validation reports whether a validation binary matches the source code, resources, and other parts, as well as the compiler, runtime, operating system, and other context, which is specified in a provenance manifest for a release binary. Part context checksums, software versions, tool parameters, and other aspects of a build are checked. Certification signatures, timestamps, certain version differences, source code locations, and other data may be ignored for validation purposes. A provenance manifest may include other provenance manifests, including binary rewrite manifests. The provenance manifest may be stored in a debugger file with symbol information, or stored separately. Partial matches may be reported, with details of what matches or does not match. After provenance of a binary is validated, the binary's source code can be analyzed for vulnerabilities, thereby enhancing software supply chain security.