Fortifying the Foundation: RESCALE’s Revolution in Secure Supply Chains

As the computing landscape becomes increasingly complex, reliance on integrated hardware, firmware and software components sourced from expansive supply chains has introduced systemic integrity gaps. Supply-chain attacks and accidental vulnerabilities have become a defining risk for modern computing. Whether a cloud service built from open-source packages or an embedded platform combining firmware and silicon IP, today’s “product” is a moving graph of dependencies. High-profile incidents, such as the SolarWinds attack, have underscored the urgent need for verifiable security and trust across the entire ecosystem. It is against this backdrop that the Revolutionised Enhanced Supply Chain Automation with Limited Threats Exposure (RESCALE) project (Grant Agreement 101120962) has developed a comprehensive, secure-by-design assurance framework, making supply-chain assurance automated, evidence-based and continuously updated.

Ahead of our dedicated workshop at the HiPEAC 2026 conference in Kraków, RESCALE is moving from a conceptual framework to a fully integrated and validated platform. Our mission is to deliver verifiable audit procedures and guarantees, replacing reliance on unverified traditional documentation with the project’s central innovation: the Trusted Bill of Materials (TBOM). This article outlines the project’s purpose and the substantial architectural and technical progress achieved in creating a resilient foundation for the next generation of computing security.

From SBOMs to TBOMs: trust with proof

As already stated, RESCALE’s central concept is the Trusted Bill of Materials (TBOM). A Software Bill of Materials (SBOM) answers “what is included?”, but not whether components were assessed, how, or whether the evidence is current. RESCALE binds components to verifiable security evidence and trust metadata via two artifacts: a Static Supply Chain component Guarantee (SSCG), derived from static analysis (including formal techniques), and a Dynamic Supply Chain component Guarantee (DSCG), derived from runtime testing (including fuzzing, firmware analysis, and other dynamic assessments). Together, these enable a traceable path from tool output to a structured, auditable trust record.

Trust as a living property

In RESCALE, trust is not a one-off label. TBOMs are linked to a Bill of Vulnerabilities (BOV) that is updated when new vulnerability intelligence appears or when new analysis results are generated. The TBOM lifecycle tracks vulnerability posture across severity categories (instead of an “average” score) and supports an “unknown” class for newly detected issues that are not yet in public databases. This matters in practice: supply-chain security must reflect both known CVEs and issues discovered through project-specific analyses.

A deployment-oriented architecture

RESCALE organises the platform into three cooperating domains. The Assessment Domain hosts the testing toolchain and the SSCG/DSCG generators. The Management Domain orchestrates workflows and stores TBOM-related documents in repositories. The Security & Trust Domain provides continuous monitoring, certificate-based identity and distributed-ledger integration for tamper-evident traceability across organisations.

At the centre sits the Trust Orchestrator (TrustOR). TrustOR generates and validates TBOMs by ingesting SBOMs, SSCGs and DSCGs, managing TBOM lifecycle state and coordinating re-evaluation when new security signals arrive. The ledger stores cryptographic proofs (hashes and relationships), while full documents remain in managed repositories, enabling verifiability without unnecessary disclosure.

Progress: integrating a broad security toolchain

RESCALE has advanced a CI-friendly assessment toolbox. On the static side, SASTer-CLI provides containerised, modular scanning for common languages (e.g., C/C++ and Python) with standardised outputs. SAVE-ME applies ML-based static vulnerability detection to Erlang using a fine-tuned CodeBERT approach, while DetectEr adds runtime/formal verification techniques for concurrent systems. Where source code is unavailable, IVEE contributes binary-level analysis using symbolic execution.

On the dynamic side, RAISE extends stateful REST API fuzzing with optimisation to prioritise higher-risk request sequences, while EvoMaster-based approaches (including BRUTE) support evolutionary testing with runtime feedback. For embedded firmware, FATex combines extraction and emulation-based analysis to produce actionable findings. RESCALE also includes hardware-relevant assessment capabilities, including side-channel leakage evaluation techniques, to better capture risks that matter for real deployments.

Pilots: GRiSP.io and SkyFlok in the loop

Two pilot tracks keep RESCALE grounded. The PST pilot centres on the GRiSP.io ecosystem, integrating static and dynamic testing into CI/CD for Erlang and C components and producing SSCGs/DSCGs that can be published to the platform or executed in “dry run” mode for developer-only feedback. The CC pilot focuses on the SkyFlok platform, applying analysis to Python microservices and a shared in-house C++ library (Rlnclib), enabling realistic evaluation of dependency propagation across services.

Beyond producing evidence, the pilots exercise supply-chain behaviours: validating TBOMs in the dashboard for end users, generating TBOMs for shared dependencies and triggering update-and-notify flows when new vulnerabilities appear or when new dynamic results change the TBOM/BOV.

RESCALE tracks progress systematically against earlier state-of-the-art gaps. In the latest consolidation, 14 of the initial 30 gaps are fully addressed, 12 are partially addressed and progressing through final integration and validation and 4 remain open with defined resolution actions. Pilot integration has also surfaced six new gaps, reinforcing RESCALE’s focus on operational practicality.

RESCALE at HiPEAC 2026

The RESCALE workshop at HiPEAC 2026 will showcase the end-to-end flow: automated assessment producing SSCG/DSCG evidence, TBOM generation and validation via TrustOR, ledger-backed traceability and continuous trust updates as vulnerability intelligence evolves. For the HiPEAC community, where embedded platforms, hardware/software co-design and performance-critical systems meet, RESCALE offers a practical blueprint for supply-chain assurance that spans source code, binaries, firmware and hardware. As RESCALE moves into its final phase, the focus is on tightening end-to-end integration, completing validation of partially covered requirements and packaging the platform for adoption, on-premises where needed, CI-native where possible.

FURTHER INFORMATION:

· D2.5: High Level Architecture (first version): https://zenodo.org/records/16971227

· RESCALE: Contribution to standardisation | RESCALE White Paper 2025: https://zenodo.org/records/17896135

· RESCALE Workshop at HiPEAC 2026: https://www.hipeac.net/2026/krakow/#/program/8263/

—————————————————————————————————————————–

The RESCALE project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No. 101120962.

Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Word count: 958

Without subtitles: 929