Search

US-12621161-B1 - Automated software build capacity incorporating code generated in software development environments with varying levels of security

US12621161B1US 12621161 B1US12621161 B1US 12621161B1US-12621161-B1

Abstract

Systems and methods are provided for automatically building software in a secure environment. A system includes a software development environment, having an associated security level. The software development environment generates an encrypted software module containing a software module and a cryptographic hash representing a content of the software module and provides it to a software repository. The software repository, in response to receipt of a build plan, decrypts the encrypted software module to recover the software module and the cryptographic hash representing the content of the software module, generates a new cryptographic hash for the software module, and verifies that the new cryptographic hash matches the cryptographic hash representing the content of the software module. A build environment receives the plurality of software modules from the software repository and generates a software build from the plurality of software modules based upon the build plan.

Inventors

  • Brian J. Noe
  • Francis B. Afinidad
  • Brian Wilkins
  • Catherine M. Boyce
  • Douglas M. Dyer
  • Steven D. Ratts

Assignees

  • NORTHROP GRUMMAN SYSTEMS CORPORATION

Dates

Publication Date
20260505
Application Date
20210504

Claims (10)

  1. 1 . A method comprising: generating a software build comprising a plurality of software artifacts from a plurality of software modules, the software build having an associated build number that identifies the software build; combining the plurality of software artifacts into an archive file; generating a build hash representing the contents of the archive file; encrypting the given archive file and the build hash using an encryption key associated with the security level of the software build to provide an encrypted build file; sending the encrypted build file to a build repository; developing a software module associated with the software build; reviewing the software module to establish a security level for the software module; generating a cryptographic hash representing the contents of the software module using a hash key that is uniquely associated with the build number; encrypting the software module and the cryptographic hash using a key to provide an encrypted software module, the key being associated with the security level of the software module; and sending the encrypted software module to a software repository.
  2. 2 . The method of claim 1 , further comprising: providing a build plan requiring a plurality of software modules, which comprises the software module, to a software repository storing a plurality of encrypted software modules corresponding to the plurality of software modules; decrypting each of the plurality of encrypted software modules to provide the plurality of software modules and a plurality of cryptographic hashes, which comprises the cryptographic hash, each representing the content of one of the plurality of software modules; generating a new cryptographic hash for each of the plurality of software modules; verifying that the new cryptographic hash for each of the plurality of software modules matches the cryptographic hash representing the content of the software module; selecting a build environment based on a level of security associated with the build plan; and providing the plurality of software modules to the selected build environment.
  3. 3 . The method of claim 1 , wherein developing a software module comprises: retrieving an existing software module and an error report from the software repository; and modifying the existing software module in accordance with the error report to provide the software module.
  4. 4 . The method of claim 1 , wherein the software repository is a multi-level software repository comprising a plurality of levels with associated levels of security, and sending the encrypted software module to the software repository comprises sending the encrypted software module to one of the plurality of levels that corresponds to the security level for the software module.
  5. 5 . The method of claim 1 , wherein generating the cryptographic hash representing the contents of the software module comprises generating the cryptographic hash with a Secure Hash Algorithm (SHA).
  6. 6 . A method comprising: providing a build plan requiring a plurality of software modules to a software repository storing a plurality of encrypted software modules corresponding to the plurality of software modules; decrypting each of the plurality of encrypted software modules to provide the plurality of software modules and a plurality of cryptographic hashes, each representing the content of one of the plurality of software modules; generating a new cryptographic hash for each of the plurality of software modules; verifying that the new cryptographic hash for each of the plurality of software modules matches the cryptographic hash representing the content of the software module; providing the plurality of software modules to a selected build environment generating a software build, comprising a plurality of software artifacts, from the plurality of software modules; combining the plurality of software artifacts into an archive file; generating a build hash representing the contents of the archive file; encrypting the given archive file and the build hash using an encryption key associated with the security level of the software build to provide an encrypted build file; and sending the encrypted build file to a build repository.
  7. 7 . The method of claim 6 , further comprising: developing a given software module of the plurality of software modules; reviewing the given software module to establish a security level for the software module; generating a cryptographic hash representing the contents of the given software module; encrypting the given software module and the cryptographic hash using a key to provide one of the plurality of encrypted software modules, the key being associated with the security level of the given software module; and sending the encrypted software module to the software repository.
  8. 8 . The method of claim 6 , wherein providing the plurality of software modules to a selected build environment comprises providing the plurality of software modules to the selected build environment via a cross domain solution.
  9. 9 . The method of claim 6 , wherein decrypting each of the plurality of encrypted software modules comprises verifying that a level of security associated with each of the plurality of encrypted software modules is not higher than the level of security of the build plan.
  10. 10 . The method of claim 6 , further comprising, when the new cryptographic hash for one of the plurality of software modules does not match the cryptographic hash representing the content of the one of the plurality of software modules, generating an error message and preventing the one of the plurality of software modules from being provided to the build environment.

Description

TECHNICAL FIELD This invention relates to cybersecurity, and more particularly, to securely building software incorporating code generated in software development environments with varying levels of security. BACKGROUND Modern military and civilian government systems need to combine software developed at multiple classification levels, typically including both commercial off the shelf (COTS) software and mission-specific software residing at multiple classification levels. These systems typically require multiple software build configurations (e.g., tactical/operational, test, maintenance, etc.) that serve different purposes and may therefore be composed from a subset of software modules and data specific to their intended purpose. For example, a maintenance software build may omit software and data components that are not required to accomplish maintenance activities and thus not needed by maintenance personnel. Similarly a test build may include some additional test-specific software components or test variants of software components. Such software builds may also need to be compatible with system level requirements limiting the highest classification level needed to perform maintenance activities. SUMMARY OF THE INVENTION In one example, a system includes a software development environment, having an associated security level. The software development environment generates an encrypted software module containing a software module and a cryptographic hash representing a content of the software module and provides it to a software repository. The software repository, in response to receipt of a build plan, decrypts the encrypted software module to recover the software module and the cryptographic hash representing the content of the software module, generates a new cryptographic hash for the software module, and verifies that the new cryptographic hash matches the cryptographic hash representing the content of the software module. A build environment receives the plurality of software modules from the software repository and generates a software build from the plurality of software modules based upon the build plan. In another example, a method is provided. The method includes developing a software module and reviewing the software module to establish a security level for the software module. A cryptographic hash representing the contents of the software module is generated and the software module and the cryptographic hash are encrypted using a key to provide an encrypted software module. The key is associated with the security level of the software module. The encrypted software module is sent to a software repository. In yet another example, a method is provided. The method includes providing a build plan requiring a plurality of software modules to a software repository storing a plurality of encrypted software modules corresponding to the required plurality of software modules. Each of the plurality of encrypted software modules are encrypted to provide the plurality of software modules and a plurality of cryptographic hashes. Each cryptographic hash represents the content of one of the plurality of software modules. A new cryptographic hash is generated for each of the plurality of software modules, and it is verified that the new cryptographic hash for each of the plurality of software modules matches the cryptographic hash representing the content of the software module. The plurality of software modules are provided to a selected build environment. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates one example of a system for building software that can incorporate code generated in software development environments with varying levels of security; FIG. 2 illustrates one implementation of a system for building software that can incorporate code generated in software development environments with varying levels of security; FIG. 3 illustrates a method of providing a software module for a system including software development environments with varying levels of security; FIG. 4 illustrates a method for executing a build plan in a system including software development environments with varying levels of security; and FIG. 5 is a schematic block diagram illustrating an exemplary system of hardware components capable of implementing examples of the systems and methods disclosed herein. DETAILED DESCRIPTION As used herein, the term “includes” means includes but not limited to, the term “including” means including but not limited to. The term “based on” means based at least in part on. Additionally, where the disclosure or claims recite “a,” “an,” “a first,” or “another” element, or the equivalent thereof, it should be interpreted to include one or more than one such element, neither requiring nor excluding two or more such elements. As used herein, a “software build environment” or “build environment” is a collection of hardware and software tools that a system developer uses to build software systems,