Decentralized Review and Attestation of Software Attribute Claims

Software can be described, like human users and other objects, through attributes. For this work, we define software attributes as humanly verifiable, falsifiable, or judgeable statements regarding characteristics of said software. Much like attributes in general, software attributes require robust identities for their source but also for their target, meaning a software in general or a binary in particular. As software can be of critical importance, performing an independent review of attribute claims appears beneficial. We posit that decentralized platforms that were developed and refined over the past decade can bridge the gap between existing tools and methods for software review and their open, transparent, and accountable use for the benefit of users. In this work, we explore the feasibility and implications of decentralizing an independent review of software attribute claims. We envision the decentralization of a review process from initialization and execution to the persistent recording of results. We sketch the available design space by decomposing the overall process into a modular design and describe how each component covers overarching objectives. ... mehrTo illustrate practical implications and tradeoffs, we present ETHDPR, a proof of concept implementation based on Ethereum and IPFS. Through a quantitative and qualitative evaluation, we show that a decentralized software review is practically feasible. We illustrate the flexibility of the proposed approach using a toy example of a software component in automotive systems. Lastly, we provide a discussion on fundamental limits and open issues of facilitating independent reviews via technological means.