부산대학교 도서관

System OEMs are increasingly adopting the motto “Trust but verify” when it comes to their supply chains. After several public incidents in which trusted vendors unknowingly provided vulnerable components, OEMs are requesting evidence of security assurance before integrating components into their products. It can be problematic for semiconductor vendors to provide such evidence since their products often contain 3 rdparty components that are typically treated as black boxes. Moreover, asking 3 rdparty vendors to provide such evidence for their components is equally problematic due to the many integration unknowns and a lack of applicable literature on security assurance for standalone technologies. We address these issues by defining a security process and relationship between semiconductor vendors and trusted 3 rdparty component providers and a practical methodology to produce standardized quality security assurance evidence. We provide example applications of the methodology using several open source components.