OSSIntegrity: Collaborative open-source code integrity verification

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-07-08 DOI:10.1016/j.cose.2024.103977

{"title":"OSSIntegrity: Collaborative open-source code integrity verification","authors":"","doi":"10.1016/j.cose.2024.103977","DOIUrl":null,"url":null,"abstract":"<div>Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries used by the target. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not target general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose <math><mrow><msup><mrow><mrow><mo>(</mo><mi>S</mi><mi>C</mi><mo>)</mo></mrow></mrow><mrow><mn>2</mn></mrow></msup><mi>V</mi></mrow></math> — secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. <math><mrow><msup><mrow><mrow><mo>(</mo><mi>S</mi><mi>C</mi><mo>)</mo></mrow></mrow><mrow><mn>2</mn></mrow></msup><mi>V</mi></mrow></math> is aimed at preventing targeted supply chain attacks and is integrated in the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. <math><mrow><msup><mrow><mrow><mo>(</mo><mi>S</mi><mi>C</mi><mo>)</mo></mrow></mrow><mrow><mn>2</mn></mrow></msup><mi>V</mi></mrow></math> involves both users (developers seeking to verify an OSS library) and verifiers that contribute to the collaborative verification effort. <math><mrow><msup><mrow><mrow><mo>(</mo><mi>S</mi><mi>C</mi><mo>)</mo></mrow></mrow><mrow><mn>2</mn></mrow></msup><mi>V</mi></mrow></math> considers a library as verified and safe when a consensus is reached among the verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 s to issue an alert against the attacks.</div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8000,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824002827","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries used by the target. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not target general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose ${(S C)}^{2} V$ — secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. ${(S C)}^{2} V$ is aimed at preventing targeted supply chain attacks and is integrated in the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. ${(S C)}^{2} V$ involves both users (developers seeking to verify an OSS library) and verifiers that contribute to the collaborative verification effort. ${(S C)}^{2} V$ considers a library as verified and safe when a consensus is reached among the verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 s to issue an alert against the attacks.

查看原文本刊更多论文

OSSIntegrity：协作式开源代码完整性验证

开放源码软件（OSS）库能够减少开发时间和成本，因此深受开发人员的欢迎。然而，开放源码软件也可能被利用，成为进行开放源码软件供应链攻击的手段。在开放源码软件攻击中，恶意代码会被注入目标使用的库中。以往的研究提出了各种预防和检测此类攻击的方法，但大多数都侧重于非目标攻击。与此相反，本文重点关注有针对性的开放源码软件供应链攻击，这些攻击是由技术娴熟、持续性强的攻击者实施的。有针对性的开放源码软件攻击是针对特定目标（即开发人员）精心策划的。由于这些攻击并不针对一般的开放源码软件库，因此往往会在很长一段时间内不引人注意，从而使攻击者能够访问敏感数据或系统。在本文中，我们提出了 (SC)2V - 基于众源的安全代码验证，这是一个用于验证开放源码软件库的新型分布式可扩展框架。(SC)2V旨在防止有针对性的供应链攻击，并集成到软件生产的构建阶段，作为打包和部署应用程序前的额外代码验证步骤。(SC)2V 既涉及用户（寻求验证开放源码软件库的开发人员），也涉及为协作验证工作做出贡献的验证人员。当验证者达成共识时，(SC)2V 就会认为程序库是经过验证和安全的。我们使用八种不同的攻击情况（包括冷启动和边缘情况）对所提出的方法进行了评估，评估对象是大约 900 个流行的开放源码软件库及其依赖库，每个库平均包含 10 个文件，并由至少五名参与者进行了验证；总共评估了 127,000 个文件，结果表明，我们的框架平均只需 26 秒就能发出针对攻击的警报。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.

文献相关原料

公司名称	产品信息	采购帮参考价格