发布求助
文献互助 智能选刊 最新文献

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses最新文献

筛选
英文 中文
Talking Trojan: Analyzing an Industry-Wide Disclosure 会说话的木马:分析一个全行业的信息披露
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-09-22 DOI: 10.1145/3560835.3564555
Nicholas Boucher, Ross J. Anderson
{"title":"Talking Trojan: Analyzing an Industry-Wide Disclosure","authors":"Nicholas Boucher, Ross J. Anderson","doi":"10.1145/3560835.3564555","DOIUrl":"https://doi.org/10.1145/3560835.3564555","url":null,"abstract":"While vulnerability research often focuses on technical findings and post-public release industrial response, we provide an analysis of the rest of the story: the coordinated disclosure process from discovery through public release. The industry-wide 'Trojan Source' vulnerability which affected most compilers, interpreters, code editors, and code repositories provided an interesting natural experiment, enabling us to compare responses by firms versus nonprofits and by firms that managed their own response versus firms that outsourced it. We document the interaction with bug bounty programs, government disclosure assistance, academic peer review, and press coverage, among other topics. We compare the response to an attack on source code with the response to a comparable attack on NLP systems employing machine-learning techniques. We conclude with recommendations to improve the global coordinated disclosure system.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-09-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123109790","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Automatic Security Assessment of GitHub Actions Workflows GitHub动作工作流的自动安全评估
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-08-07 DOI: 10.1145/3560835.3564554
Giacomo Benedetti, Luca Verderame, A. Merlo
{"title":"Automatic Security Assessment of GitHub Actions Workflows","authors":"Giacomo Benedetti, Luca Verderame, A. Merlo","doi":"10.1145/3560835.3564554","DOIUrl":"https://doi.org/10.1145/3560835.3564554","url":null,"abstract":"The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub). We developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"64 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123265684","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis 预防或减轻对抗性供应链攻击:法律分析
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-08-06 DOI: 10.1145/3560835.3564552
K. Ludvigsen, Shishir Nagaraja, A. Daly
{"title":"Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis","authors":"K. Ludvigsen, Shishir Nagaraja, A. Daly","doi":"10.1145/3560835.3564552","DOIUrl":"https://doi.org/10.1145/3560835.3564552","url":null,"abstract":"The world is currently strongly connected through both the internet at large, but also the very supply chains which provide everything from food to infrastructure and technology. The supply chains are themselves vulnerable to adversarial attacks, both in a digital and physical sense, which can disrupt or at worst destroy them. In this paper, we take a look at two examples of such successful attacks to put the idea of Supply Chain Attacks into perspective, and analyse how EU and national law can prevent these attacks or otherwise punish companies which do not try to mitigate them at all possible costs. We find that the current types of national regulation are not technology specific enough, and cannot force or otherwise mandate the correct parties who could play the biggest role in preventing supply chain attacks to do everything in their power to mitigate them. But, current EU law is on the right path, and further textcolorblack development of this may be what is necessary to combat these large threats, as national law may fail at properly regulating companies when it comes to cybersecurity.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"80 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132274685","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses 2022年ACM软件供应链进攻研究和生态系统防御研讨会论文集
Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 1900-01-01 DOI: 10.1145/3560835
{"title":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","authors":"","doi":"10.1145/3560835","DOIUrl":"https://doi.org/10.1145/3560835","url":null,"abstract":"","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129005331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
首页 上一页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信