Piergiorgio Ladisa,Serena Elisa Ponta,Antonino Sabetta,Matias Martinez,Olivier Barais

DOI: https://doi.org/10.48550/arXiv.2304.05200

2023-04-11

Abstract:This work discusses open-source software supply chain attacks and proposes a general taxonomy describing how attackers conduct them. We then provide a list of safeguards to mitigate such attacks. We present our tool "Risk Explorer for Software Supply Chains" to explore such information and we discuss its industrial use-cases.

Cryptography and Security,Software Engineering

Marc Ohm,Henrik Plate,Arnold Sykosch,Michael Meier

DOI: https://doi.org/10.48550/arXiv.2005.09535

2020-05-19

Cryptography and Security

Abstract:A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities.

Betul Gokkaya,Leonardo Aniello,Basel Halak

DOI: https://doi.org/10.48550/arXiv.2305.14157

2023-05-23

Cryptography and Security

Abstract:The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. As the reliance of software projects on open-source or proprietary modules is increasing drastically, SSC is becoming more and more critical and, therefore, has attracted the interest of cyber attackers. While existing studies primarily focus on software supply chain attacks' prevention and detection methods, there is a need for a broad overview of attacks and comprehensive risk assessment for software supply chain security. This study conducts a systematic literature review to fill this gap. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks, and we identify the security risks for open-source and third-party software supply chains. Furthermore, this study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.

Luıs Soeiro,Thomas Robert,Stefano Zacchiroli

2023-11-20

Abstract:The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain. Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security. This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.

Cryptography and Security

Carmine Cesarano,Vivi Andersson,Roberto Natella,Martin Monperrus

DOI: https://doi.org/10.1145/3689944.3696166

2024-09-17

Abstract:In Go, the widespread adoption of open-source software has led to a flourishing ecosystem of third-party dependencies, which are often integrated into critical systems. However, the reuse of dependencies introduces significant supply chain security risks, as a single compromised package can have cascading impacts. Existing supply chain attack taxonomies overlook language-specific features that can be exploited by attackers to hide malicious code. In this paper, we propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle. Our taxonomy identifies patterns in which language-specific Go features, intended for benign purposes, can be misused to propagate malicious code stealthily through supply chains. Additionally, we introduce GoSurf, a static analysis tool that analyzes the attack surface of Go packages according to our proposed taxonomy. We evaluate GoSurf on a corpus of widely used, real-world Go packages. Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem, allowing developers and security analysts to prioritize code audit efforts and uncover hidden malicious behaviors.

Cryptography and Security

Nusrat Zahan

DOI: https://doi.org/10.1109/ICSE-Companion58688.2023.00068

2023-05-01

Abstract:Sonatype has recorded an average 700% jump in software supply chain attacks [1], measured by the number of newly-published malicious packages in open-source repositories. The 2022 Synopsys report [2] assessed the reliance of the software industry on open-source software (OSS), and estimated that 97% of applications use OSS and 78% of the code comes from OSS. Practitioners did not anticipate how the software supply chain would become a deliberate attack vector and how the risk of the software supply chain would keep growing. Practitioners are more aware of the supply chain risks and want to know how to detect the implementation of package security practices and the security risk so they can make informed decisions to select dependencies for their projects. The goal of this research is to aid practitioners in producing more secure software products that are resistant to supply chain attacks through the identification and evaluation of actionable security metrics to detect risky components in the dependency graph. To achieve this goal, the thesis presents research on software security metrics evaluation in different ecosystems by leveraging software security frameworks, malicious attack vectors, and the OpenSSF Scorecard project to detect the implementation of secure practices and their significance to security outcomes.

Computer Science,Business,Engineering

Md Jobair Hossain Faruk,Masrura Tasnim,Hossain Shahriar,Maria Valero,Akond Rahman,Fan Wu

DOI: https://doi.org/10.1109/ISSREW55968.2022.00081

2022-01-01

Abstract:Software supply chain attacks occur during the processes of producing software is compromised, resulting in vulnerabilities that target downstream customers. While the number of successful exploits is limited, the impact of these attacks is significant. Despite increased awareness and research into software supply chain attacks, there is limited information available on mitigating or architecting for these risks, and existing information is focused on singular and independent elements of the supply chain. In this paper, we extensively review software supply chain security using software development tools and infrastructure. We investigate the path that attackers find is least resistant followed by adapting and finding the next best way to complete an attack. We also provide a thorough discussion on how common software supply chain attacks can be prevented, preventing malicious hackers from gaining access to an organization's development tools and infrastructure including the development environment. We considered various SSC attacks on stolen code-sign certificates by malicious attackers and prevented unnoticed malware from passing by security scanners. We are aiming to extend our research to contribute to preventing software supply chain attacks by proposing novel techniques and frameworks.

Jeferson Martínez,Javier M. Durán

DOI: https://doi.org/10.18280/ijsse.110505

2021-10-31

International Journal of Safety and Security Engineering

Abstract:Exploitation of a vulnerability that compromised the source code of the Solar Winds’ Orion system, a software that is used widely by different government and industry actors in the world for the administration and monitoring of networks; brought to the fore a type of stealth attack that has been gaining momentum: supply chain attacks. The main problem in the violation of the software supply chain is that, from 85% to 97% of the code currently used in the software development industry comes from the reuse of open source code frameworks, repositories of third-party software and APIs, creating potential vulnerabilities in the development cycle of a software product. This research analyzes the SolarWinds case study from an exploratory review of academic literature, government information, but also from the articles and reports that are published by different cybersecurity consulting firms and software providers. Then, a set of good practices is proposed such as: Zero trust, Multi-Factor authentication mechanisms (MFA), strategies such as SBOM and the recommendations of the CISA guide to defend against this type of attack. Finally, the research discusses about how to improve response times and prevention against this type of attacks, also future research related to the subject is suggested, such as the application of Machine Learning and Blockchain technologies. Additionally for risk reduction, in addition to the management and articulation of IT teams that participate in all the actors that are part of the software life cycle under a DevSecOps approach.

Md Habibor Rahman,Rocco Cassandro,Thorsten Wuest,Mohammed Shafae

2023-12-30

Abstract:An attack taxonomy offers a consistent and structured classification scheme to systematically understand, identify, and classify cybersecurity threat attributes. However, existing taxonomies only focus on a narrow range of attacks and limited threat attributes, lacking a comprehensive characterization of manufacturing cybersecurity threats. There is little to no focus on characterizing threat actors and their intent, specific system and machine behavioral deviations introduced by cyberattacks, system-level and operational implications of attacks, and potential countermeasures against those attacks. To close this pressing research gap, this work proposes a comprehensive attack taxonomy for a holistic understanding and characterization of cybersecurity threats in manufacturing systems. Specifically, it introduces taxonomical classifications for threat actors and their intent and potential alterations in system behavior due to threat events. The proposed taxonomy categorizes attack methods/vectors and targets/locations and incorporates operational and system-level attack impacts. This paper also presents a classification structure for countermeasures, provides examples of potential countermeasures, and explains how they fit into the proposed taxonomical classification. Finally, the implementation of the proposed taxonomy is illustrated using two realistic scenarios of attacks on typical smart manufacturing systems, as well as several real-world cyber-physical attack incidents and academic case studies. The developed manufacturing attack taxonomy offers a holistic view of the attack chain in manufacturing systems, starting from the attack launch to the possible damages and system behavior changes within the system. Furthermore, it guides the design and development of appropriate protective and detective countermeasures by leveraging the attack realization through observed system deviations.

Cryptography and Security

Zhuoran Tan,Christos Anagnosstopoulos,Jeremy Singer

2024-11-28

Abstract:Open-source software serves as a foundation for the internet and the cyber supply chain, but its exploitation is becoming increasingly prevalent. While advances in vulnerability detection for OSS have been significant, prior research has largely focused on static code analysis, often neglecting runtime indicators. To address this shortfall, we created a comprehensive dataset spanning five ecosystems, capturing features generated during the execution of packages and libraries in isolated environments. The dataset includes 9,461 package reports, of which 1,962 are identified as malicious, and encompasses both static and dynamic features such as files, sockets, commands, and DNS records. Each report is labeled with verified information and detailed sub-labels for attack types, facilitating the identification of malicious indicators when source code is unavailable. This dataset supports runtime detection, enhances detection model training, and enables efficient comparative analysis across ecosystems, contributing to the strengthening of supply chain security.

Cryptography and Security

Lorenzo Neil,Sudip Mittal,Anupam Joshi

DOI: https://doi.org/10.48550/arXiv.1808.04673

2018-08-10

Abstract:Open-Source Projects and Libraries are being used in software development while also bearing multiple security vulnerabilities. This use of third party ecosystem creates a new kind of attack surface for a product in development. An intelligent attacker can attack a product by exploiting one of the vulnerabilities present in linked projects and libraries. In this paper, we mine threat intelligence about open source projects and libraries from bugs and issues reported on public code repositories. We also track library and project dependencies for installed software on a client machine. We represent and store this threat intelligence, along with the software dependencies in a security knowledge graph. Security analysts and developers can then query and receive alerts from the knowledge graph if any threat intelligence is found about linked libraries and projects, utilized in their products.

Software Engineering,Artificial Intelligence,Cryptography and Security

Stefano M. Nicoletti,Milan Lopuhaä-Zwakenberg,Mariëlle Stoelinga,Fabio Massacci,Carlos E. Budde

2024-10-19

Abstract:The landscape of cyber threats grows more complex by the day. Advanced Persistent Threats carry out systematic attack campaigns against which cybersecurity practitioners must defend. Examples of such organized attacks are operations Dream Job, Wocao, WannaCry or the SolarWinds Compromise. To evaluate which risks are most threatening, and which campaigns to prioritize against when defending, cybersecurity experts must be equipped with the right toolbox. In particular, they must be able to (a) obtain likelihood values for each attack campaign recorded in the wild and (b) reliably and transparently operationalize these values to carry out quantitative comparisons among campaigns. This will allow security experts to perform quantitatively-informed decision making that is transparent and accountable. In this paper we construct such a framework by: (1) quantifying the likelihood of attack campaigns via data-driven procedures on the MITRE knowledge base and (2) introducing a methodology for automatic modelling of MITRE intelligence data: this is complete in the sense that it captures any attack campaign via template attack tree models. (3) We further propose a computational framework to carry out this comparisons based on the cATM formal logic, and implement this into an open-source Python tool. Finally, we validate our approach by quantifying the likelihood of all MITRE campaigns, and comparing the likelihood of the Wocao and Dream Job MITRE campaigns -- generated with our proposed approach -- against "ad hoc" traditionally-built attack tree models, demonstrating how our methodology is substantially lighter in modelling effort, and still capable of capturing all the quantitative relevant data.

Cryptography and Security,Logic in Computer Science

Stan Zajdel,Diego Elias Costa,Hafedh Mili

DOI: https://doi.org/10.48550/arXiv.2206.10358

2022-06-21

Software Engineering

Abstract:The Open Source Software movement has been growing exponentially for a number of years with no signs of slowing. Driving this growth is the widespread availability of libraries and frameworks that provide many functionalities. Developers are saving time and money incorporating this functionality into their applications resulting in faster more feature-rich releases. Despite the growing success and the advantages that open source software provides, there is a dark side. Due to its community construction and largely unregulated distribution, the majority of open source software contains bugs, vulnerabilities and other issues making it highly susceptible to exploits. The lack of oversight, in general, hinders the quality of this software resulting in a trickle-down effect in the applications that use it. Additionally, developers who use open source tend to arbitrarily download the software into their build systems but rarely keep track of what they have downloaded resulting in an excessive amount of open source software in their applications and in their ecosystem. This paper discusses processes and practices that users of open source software can implement into their environments that can safely track and control the introduction and usage of open source software into their applications, and report on some preliminary results obtained in an industrial context. We conclude by discussing governance issues related to the disciplined use and reuse of open source and areas for further improvements.

Duc Ly Vu,Ivan Pashchenko,Fabio Massacci,Henrik Plate,Antonino Sabetta

DOI: https://doi.org/10.1145/3372297.3420015

2020-10-30

Abstract:Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems, makes them an attractive target for software supply chain attacks. By injecting malicious code into legitimate packages, attackers were known to gain more than 100,000 downloads of compromised packages. Current approaches for identifying malicious payloads are resource demanding. Therefore, they might not be applicable for the on-the-fly detection of suspicious artifacts being uploaded to the package repository. In this respect, we propose to use source code repositories (e.g., those in Github) for detecting injections into the distributed artifacts of a package. Our preliminary evaluation demonstrates that the proposed approach captures known attacks when malicious code was injected into PyPI packages. The analysis of the 2666 software artifacts (from all versions of the top ten most downloaded Python packages in PyPI) suggests that the technique is suitable for lightweight analysis of real-world packages.

Shehan Edirimannage,Charitha Elvitigala,Asitha Kottahachchi Kankanamge Don,Wathsara Daluwatta,Primal Wijesekara,Ibrahim Khalil

2024-11-12

Abstract:With the wave of high-profile supply chain attacks targeting development and client organizations, supply chain security has recently become a focal point. As a result, there is an elevated discussion on securing the development environment and increasing the transparency of the third-party code that runs in software products to minimize any negative impact from third-party code in a software product. However, the literature on secure software development lacks insight into how the third-party development tools used by every developer affect the security posture of the developer, the development organization, and, eventually, the end product. To that end, we have analyzed 52,880 third-party VS Code extensions to understand their threat to the developer, the code, and the development organizations. We found that ~5.6\% of the analyzed extensions have suspicious behavior, jeopardizing the integrity of the development environment and potentially leaking sensitive information on the developer's product. We also found that the VS Code hosting the third-party extensions lacks practical security controls and lets untrusted third-party code run unchecked and with questionable capabilities. We offer recommendations on possible avenues for fixing some of the issues uncovered during the analysis.

Cryptography and Security,Software Engineering

Tara Ghasempouri,Jaan Raik,Cezar Reinbrecht,Said Hamdioui,Mottaqiallah Taouil

DOI: https://doi.org/10.48550/arXiv.2208.14194

2022-08-30

Abstract:According to the World Economic Forum, cyber attacks are considered as one of the most important sources of risk to companies and institutions worldwide. Attacks can target the network, software, and/or hardware. During the past years, much knowledge has been developed to understand and mitigate cyberattacks. However, new threats have appeared in recent years regarding software attacks that exploit hardware vulnerabilities. We define these attacks as architectural attacks. Today, both industry and academy have only limited comprehension of architectural attacks, which represents a critical issue for the design of future systems. To this end, this work proposes a new taxonomy, a new attack model, and a complete survey of existing architectural attacks. As a result, our study provides the tools to understand the Architectural Attacks deeply and start building better designs as well as protection mechanisms.

Cryptography and Security

Eman Abu Ishgair,Marcela S. Melara,Santiago Torres-Arias

2024-05-29

Abstract:The software supply chain comprises a highly complex set of operations, processes, tools, institutions and human factors involved in creating a piece of software. A number of high-profile attacks that exploit a weakness in this complex ecosystem have spurred research in identifying classes of supply chain attacks. Yet, practitioners often lack the necessary information to understand their security posture and implement suitable defenses against these attacks. We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach that focuses on holistic bottom-up solutions. To this end, this paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships. Using this model, we identify software supply chain security objectives that are needed to mitigate common attacks and systematize knowledge on recent and well-established security techniques for their ability to meet these objectives. We validate our model against prior attacks and taxonomies. Finally, we identify emergent research gaps and propose opportunities to develop novel software development tools and systems that are secure-by-design.

Cryptography and Security

Colin Topping,Ola Michalec,Awais Rashid

DOI: https://doi.org/10.48550/arXiv.2208.02244

2022-08-03

Cryptography and Security

Abstract:Supply chains are increasingly targeted by threat actors. Using a recent taxonomy, we contrast the diverse levels of detail given by national authorities. The threat is commonly acknowledged, but guidance is disjointed. NIST SP 800-161 aligns closely with the taxonomy and offers a potential pathway towards a common set of principles.

Mehdi Mirakhorli,Derek Garcia,Schuyler Dillon,Kevin Laporte,Matthew Morrison,Henry Lu,Viktoria Koscinski,Christopher Enoch

2024-02-17

Abstract:Modern software applications heavily rely on diverse third-party components, libraries, and frameworks sourced from various vendors and open source repositories, presenting a complex challenge for securing the software supply chain. To address this complexity, the adoption of a Software Bill of Materials (SBOM) has emerged as a promising solution, offering a centralized repository that inventories all third-party components and dependencies used in an application. Recent supply chain breaches, exemplified by the SolarWinds attack, underscore the urgent need to enhance software security and mitigate vulnerability risks, with SBOMs playing a pivotal role in this endeavor by revealing potential vulnerabilities, outdated components, and unsupported elements. This research paper conducts an extensive empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM. We investigate emerging use cases in software supply chain security and identify gaps in SBOM technologies. Our analysis encompasses 84 tools, providing a snapshot of the current market and highlighting areas for improvement.

Software Engineering