发布求助
文献互助 智能选刊 最新文献

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses最新文献

筛选
英文 中文
Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development 软件供应链的风险探索者:理解基于开源的软件开发的攻击面
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI: 10.1145/3560835.3564546
Piergiorgio Ladisa, H. Plate, Matias Martinez, Olivier Barais, Serena Elisa Ponta
{"title":"Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development","authors":"Piergiorgio Ladisa, H. Plate, Matias Martinez, Olivier Barais, Serena Elisa Ponta","doi":"10.1145/3560835.3564546","DOIUrl":"https://doi.org/10.1145/3560835.3564546","url":null,"abstract":"Supply chain attacks on open-source projects aim at injecting and spreading malicious code such that it is executed by direct and indirect downstream users. Recent work systematized the knowledge about such attacks and proposed a taxonomy in the form of an attack tree. We propose a visualization tool calledRisk Explorer for Software Supply Chains, which allows inspecting the taxonomy of attack vectors, their descriptions, references to real-world incidents and other literature, as well as information about associated safeguards. Being open-source itself, the community can easily reference new attacks, accommodate for entirely new attack vectors or reflect the development of new safeguards.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127282532","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Exorcist: Automated Differential Analysis to Detect Compromises in Closed-Source Software Supply Chains 驱魔师:在闭源软件供应链中检测妥协的自动差异分析
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI: 10.1145/3560835.3564550
Frederick Barr-Smith, Tim Blazytko, Richard Baker, I. Martinovic
{"title":"Exorcist: Automated Differential Analysis to Detect Compromises in Closed-Source Software Supply Chains","authors":"Frederick Barr-Smith, Tim Blazytko, Richard Baker, I. Martinovic","doi":"10.1145/3560835.3564550","DOIUrl":"https://doi.org/10.1145/3560835.3564550","url":null,"abstract":"The insertion of trojanised binaries into supply chains are a particularly subtle form of cyber-attack that require a multi-staged and complex deployment methodology to implement and execute. In the years preceding this research there has been a spike in closed-source software supply chain attacks used to attack downstream clients or users of a company. To detect this attack type, we present an approach to detecting the insertion of malicious functionality in supply chains via differential analysis of binaries. This approach determines whether malicious functionality has been inserted in a particular build by looking for indicators of maliciousness. We accomplish this via automated comparison of a known benign build to successive potentially malicious versions. To substantiate this approach we present a system, Exorcist, that we have designed, developed and evaluated as capable of detecting trojanised binaries in Windows software supply chains. In evaluating this system we analyse 12 samples from high-profile APT attacks conducted via the software supply chain.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127790657","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
On the Use of Tests for Software Supply Chain Threats 软件供应链威胁测试的使用
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI: 10.1145/3560835.3564557
J. Hejderup
{"title":"On the Use of Tests for Software Supply Chain Threats","authors":"J. Hejderup","doi":"10.1145/3560835.3564557","DOIUrl":"https://doi.org/10.1145/3560835.3564557","url":null,"abstract":"Development teams are increasingly investing in automating the updating of third-party libraries to limit the patch time of zero-day exploits such as the Equifax breach. GitHub bots such as Dependabot and Renovate build such functionality by leveraging existing test infrastructure in repositories to test and evaluate new library updates. However, two recent studies suggest that test suites in projects lack effectiveness and coverage to reliably find regressions in third-party libraries. Adequate test coverage and effectiveness are critical in discovering new vulnerabilities and weaknesses from third-party libraries. The recent Log4Shell incident exemplifies this, as projects will likely not have adequate tests for logging libraries. This position paper discusses the weaknesses and challenges of current testing practices and techniques from a supply chain security perspective. We highlight two key challenges that researchers and practitioners need to address: (1) the lack of resources and best practices for testing the uses of third-party libraries and (2) enhancing the reliability of automating library updates.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129781740","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Inferring Software Update Practices on Smart Home IoT Devices Through User Agent Analysis 通过用户代理分析推断智能家居物联网设备的软件更新实践
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI: 10.1145/3560835.3564551
V. Prakash, Sicheng Xie, D. Huang
{"title":"Inferring Software Update Practices on Smart Home IoT Devices Through User Agent Analysis","authors":"V. Prakash, Sicheng Xie, D. Huang","doi":"10.1145/3560835.3564551","DOIUrl":"https://doi.org/10.1145/3560835.3564551","url":null,"abstract":"Smart home IoT devices are known to be breeding grounds for security and privacy vulnerabilities. Although some IoT vendors deploy updates, the update process is mostly opaque to researchers. It is unclear what software components are on devices, whether and when these components are updated, and how vulnerabilities change alongside the updates. This opaqueness makes it difficult to understand the security of software supply chains of IoT devices. To understand the software update practices on IoT devices, we leverage IoT Inspector's dataset of network traffic from real-world IoT devices. We analyze the User Agent strings from plain-text HTTP connections. We focus on four software components included in User Agents: cURL, Wget, OkHttp, and python-requests. By keeping track of what kinds of devices have which of these components at what versions, we find that many IoT devices potentially used outdated and vulnerable versions of these components---based on the User Agents---even though less vulnerable, more updated versions were available; and that the rollout of updates tends to be slow for some IoT devices.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115253804","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties 基于安全设计属性的软件供应链安全分析
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI: 10.1145/3560835.3564556
C. Okafor, Taylor R. Schorlemmer, Santiago Torres-Arias, James C. Davis
{"title":"SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties","authors":"C. Okafor, Taylor R. Schorlemmer, Santiago Torres-Arias, James C. Davis","doi":"10.1145/3560835.3564556","DOIUrl":"https://doi.org/10.1145/3560835.3564556","url":null,"abstract":"This paper systematizes knowledge about secure software supply chain patterns. It identifies four stages of a software supply chain attack and proposes three security properties crucial for a secured supply chain: transparency, validity, and separation. The paper describes current security approaches and maps them to the proposed security properties, including research ideas and case studies of supply chains in practice. It discusses the strengths and weaknesses of current approaches relative to known attacks and details the various security frameworks put out to ensure the security of the software supply chain. Finally, the paper highlights potential gaps in actor and operation-centered supply chain security techniques.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"84 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132479727","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 15
An Empirical Study of Artifacts and Security Risks in the Pre-trained Model Supply Chain 预训练模型供应链中工件与安全风险的实证研究
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI: 10.1145/3560835.3564547
Wenxin Jiang, Nicholas Synovic, R. Sethi, Aryan Indarapu, Matt Hyatt, Taylor R. Schorlemmer, G. Thiruvathukal, James C. Davis
{"title":"An Empirical Study of Artifacts and Security Risks in the Pre-trained Model Supply Chain","authors":"Wenxin Jiang, Nicholas Synovic, R. Sethi, Aryan Indarapu, Matt Hyatt, Taylor R. Schorlemmer, G. Thiruvathukal, James C. Davis","doi":"10.1145/3560835.3564547","DOIUrl":"https://doi.org/10.1145/3560835.3564547","url":null,"abstract":"Deep neural networks achieve state-of-the-art performance on many tasks, but require increasingly complex architectures and costly training procedures. Engineers can reduce costs by reusing a pre-trained model (PTM) and fine-tuning it for their own tasks. To facilitate software reuse, engineers collaborate around model hubs, collections of PTMs and datasets organized by problem domain. Although model hubs are now comparable in popularity and size to other software ecosystems, the associated PTM supply chain has not yet been examined from a software engineering perspective. We present an empirical study of artifacts and security features in 8 model hubs. We indicate the potential threat models and show that the existing defenses are insufficient for ensuring the security of PTMs. We compare PTM and traditional supply chains, and propose directions for further measurements and tools to increase the reliability of the PTM supply chain.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123604268","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 11
Policy Transparency: Authorization Logic Meets General Transparency to Prove Software Supply Chain Integrity 策略透明度:授权逻辑满足一般透明度以证明软件供应链的完整性
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI: 10.1145/3560835.3564549
Andrew Ferraiuolo, Razieh Behjati, Tiziano Santoro, Ben Laurie
{"title":"Policy Transparency: Authorization Logic Meets General Transparency to Prove Software Supply Chain Integrity","authors":"Andrew Ferraiuolo, Razieh Behjati, Tiziano Santoro, Ben Laurie","doi":"10.1145/3560835.3564549","DOIUrl":"https://doi.org/10.1145/3560835.3564549","url":null,"abstract":"Building reliable software is challenging because today's software supply chains are built and secured from tools and individuals from a broad range of organizations with complex trust relationships.In this setting, tracking the origin of each piece of software and understanding the security and privacy implications of using it is essential. In this work we aim to secure software supply chains by using verifiable policies in which the origin of information and the trust assumptions are first-order concerns and abusive evidence is discoverable. To do so, we propose Policy Transparency, a new paradigm in which policies are based on authorization logic and all claims issued in this policy language are made transparent by inclusion in a transparency log. Achieving this goal in a real-world setting is non-trivial and to do so we propose a novel software architecture called PolyLog. We find that this combination of authorization logic and transparency logs is mutually beneficial - transparency logs allow authorization logic claims to be widely available aiding in discovery of abuse, and making claims interpretable with policies allows misbehavior captured in the transparency logs to be handled proactively.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114746693","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Strength, Trust, and Harmony: The Challenges and Opportunities of Software Supply Chain Security 实力、信任与和谐:软件供应链安全的挑战与机遇
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-08 DOI: 10.1145/3560835.3563444
T. Rosen
{"title":"Strength, Trust, and Harmony: The Challenges and Opportunities of Software Supply Chain Security","authors":"T. Rosen","doi":"10.1145/3560835.3563444","DOIUrl":"https://doi.org/10.1145/3560835.3563444","url":null,"abstract":"As we think about enhancing software supply chain security, what does the landscape of threats and opportunities look like? What are useful ways for framing the problem, and how does the industry view the challenge? Where do responsibilities lie? Who has the power to make positive changes or to act with malice? And most importantly, what are the roles and responsibilities of industry, academia, government, and the open source community at large? In this keynote, industry veteran Trevor Rosen will offer some answers to these questions borne from his time at the center of the SolarWinds/SUNBURST breach and his experience in standing up a new supply chain integrity practice at GitHub. You can expect to hear some war stories, some strong opinions, and to walk away inspired to join hands with colleagues from all over the technical landscape to solve a huge (but tractable!) problem in information security.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131206262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Adapting Static Taint Analyzers to Software Marketplaces: A Leverage Point for Mass Vulnerability Detection? 将静态污点分析仪应用于软件市场:大规模漏洞检测的杠杆点?
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-08 DOI: 10.1145/3560835.3564553
Daniel Krohmer, Kunal Sharma, Shih-Kung Chen
{"title":"Adapting Static Taint Analyzers to Software Marketplaces: A Leverage Point for Mass Vulnerability Detection?","authors":"Daniel Krohmer, Kunal Sharma, Shih-Kung Chen","doi":"10.1145/3560835.3564553","DOIUrl":"https://doi.org/10.1145/3560835.3564553","url":null,"abstract":"Improper input validation is still one of the most severe problem classes in web application security, although there are concepts with a good problem-solution fit, such as static taint analysis. In practice, however, existing static taint analyzers suffer from both high false positive and false negative rates, making them impractical for effective detection of new vulnerabilities. In this work, we present an approach that aims to systematically specialize existing taint analyzers toward software marketplaces to improve both recall and precision of their analyses. To validate whether our approach is suitable for finding new vulnerabilities in web applications, we applied a specialized taint-analyzer to a random sample of 1,000 plugins from the WordPress plugin store. As a result, we were able to disclose ten CVE entries, including two vulnerabilities with a high or even critical CVSS score. Our preliminary results indicate the principle feasibility of our approach and show that it may be suitable for mass vulnerability detection in software marketplaces, providing a promising foundation for future works in this domain.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132696424","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Towards the Detection of Malicious Java Packages 关于恶意Java包的检测
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-10-08 DOI: 10.1145/3560835.3564548
Piergiorgio Ladisa, H. Plate, Matias Martinez, Olivier Barais, Serena Elisa Ponta
{"title":"Towards the Detection of Malicious Java Packages","authors":"Piergiorgio Ladisa, H. Plate, Matias Martinez, Olivier Barais, Serena Elisa Ponta","doi":"10.1145/3560835.3564548","DOIUrl":"https://doi.org/10.1145/3560835.3564548","url":null,"abstract":"Open-source software supply chain attacks aim at infecting downstream users by poisoning open-source packages. The common way of consuming such artifacts is through package repositories and the development of vetting strategies to detect such attacks is ongoing research. Despite its popularity, the Java ecosystem is the less explored one in the context of supply chain attacks. In this paper, we present simple-yet-effective indicators of malicious behavior that can be observed statically through the analysis of Java bytecode. Then we evaluate how such indicators and their combinations perform when detecting malicious code injections. We do so by injecting three malicious payloads taken from real-world examples into the Top-10 most popular Java libraries from libraries.io. We found that the analysis of strings in the constant pool and of sensitive APIs in the bytecode instructions aid in the task of detecting malicious Java packages by significantly reducing the information, thus, making also manual triage possible.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125801079","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信