Nusrat Zahan,Thomas Zimmermann,Patrice Godefroid,Brendan Murphy,Chandra Maddila,Laurie Williams

DOI: https://doi.org/10.48550/arXiv.2112.10165

2021-12-19

Cryptography and Security

Abstract:Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists in measuring npm supply chain weak link signals to prevent future supply chain attacks by empirically studying npm package metadata. In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. One of our case studies identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.

Raphina Liu,Sofia Bobadilla,Benoit Baudry,Martin Monperrus

2024-10-21

Abstract:Using open-source dependencies is essential in modern software development. However, this practice implies significant trust in third-party code, while there is little support for developers to assess this trust. As a consequence, attacks have been increasingly occurring through third-party dependencies. These are called software supply chain attacks. In this paper, we target the problem of projects that use dependencies while unaware of the potential risks posed by their software supply chain. We define the novel concept of software supply chain smell and present Dirty-Waters, a novel tool for detecting software supply chain smells. We evaluate Dirty-Waters on three JavaScript projects across nine versions and demonstrate the prevalence of all proposed software supply chain smells. Not only are there smells in all projects, but there are many of them, which immediately reveal potential risks and provide clear indicators for developers to act on the security of their supply chain.

Software Engineering,Cryptography and Security

Jia Zeng,Dan Han,Yaling Zhu,Yangzhong Wang,Fangchen Weng

2024-04-28

Abstract:In the current software development environment, third-party libraries play a crucial role. They provide developers with rich functionality and convenient solutions, speeding up the pace and efficiency of software development. However, with the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent. Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information, posing a severe threat to software security. Research on third-party libraries in software becomes paramount to address this growing security challenge. Numerous research findings exist regarding third-party libraries' usage, ecosystem, detection, and fortification defenses. Understanding the usage and ecosystem of third-party libraries helps developers comprehend the potential risks they bring and select trustworthy libraries. Third-party library detection tools aid developers in automatically discovering third-party libraries in software, facilitating their management. In addition to detection, fortification defenses are also indispensable. This article profoundly investigates and analyzes this literature, summarizing current research achievements and future development directions. It aims to provide practical and valuable insights for developers and researchers, jointly promoting the healthy development of software ecosystems and better-protecting software from security threats.

Software Engineering

Marc Ohm,Henrik Plate,Arnold Sykosch,Michael Meier

DOI: https://doi.org/10.48550/arXiv.2005.09535

2020-05-19

Cryptography and Security

Abstract:A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities.

Renke Huang,Jiachi Chen,Yanlin Wang,Tingting Bi,Zibin Zheng

2023-04-30

Abstract:Web3, the next generation of the Internet, represents a decentralized and democratized web. Although it has garnered significant public interest and found numerous real-world applications, there is a limited understanding of people's perceptions and experiences with Web3. In this study, we conducted an empirical study to investigate the categories of Web3 application and their popularity, as well as the potential challenges and opportunities within this emerging landscape. Our research was carried out in two phases. In the first phase, we analyzed 200 popular Web3 projects associated with 10 leading Web3 venture capital firms. In the second phase, we collected and examined code-related data from GitHub and market-related data from blockchain browsers (e.g., Etherscan) for these projects. Our analysis revealed that the Web3 ecosystem can be categorized into two groups, i.e., Web3 infrastructure and Web3 applications, with each consisting of several subcategories or subdomains. We also gained insights into the popularity of these Web3 projects at both the code and market levels and pointed out the challenges in the Web3 ecosystem at the system, developer, and user levels, as well as the opportunities it presents. Our findings contribute to a better understanding of Web3 for researchers and developers, promoting further exploration and advancement in this innovative field.

Software Engineering

Chengwei Liu,Sen Chen,Lingling Fan,Bihuan Chen,Yang Liu,Xin Peng

DOI: https://doi.org/10.1145/3510003.3510142

2022-01-01

Abstract:Third-party libraries with rich functionalities facilitate the fast development of JavaScript software, leading to the explosive growth of the NPM ecosystem. However, it also brings new security threats that vulnerabilities could be introduced through dependencies from third-party libraries. In particular, the threats could be excessively amplified by transitive dependencies. Existing research only considers direct dependencies or reasoning transitive dependencies based on reachability analysis, which neglects the NPM-specific dependency resolution rules as adapted during real installation, resulting in wrongly resolved dependencies. Consequently, further fine-grained analysis, such as precise vulnerability propagation and their evolution over time in dependencies, cannot be carried out precisely at a large scale, as well as deriving ecosystem-wide solutions for vulnerabilities in dependencies. To fill this gap, we propose a knowledge graph-based dependency resolution, which resolves the inner dependency relations of dependencies as trees (i.e., dependency trees), and investigates the security threats from vulnerabilities in dependency trees at a large scale. Specifically, we first construct a complete dependency-vulnerability knowledge graph (DVGraph) that captures the whole NPM ecosystem (over 10 million library versions and 60 million well-resolved dependency relations). Based on it, we propose a novel algorithm (DTResolver) to statically and precisely resolve dependency trees, as well as transitive vulnerability propagation paths, for each package by taking the official dependency resolution rules into account. Based on that, we carry out an ecosystem-wide empirical study on vulnerability propagation and its evolution in dependency trees. Our study unveils lots of useful findings, and we further discuss the lessons learned and solutions for different stakeholders to mitigate the vulnerability impact in NPM based on our findings. For example, we implement a dependency tree based vulnerability remediation method (DTReme) for NPM packages, and receive much better performance than the official tool (npm audit fix).

Cadence Patrick,Kimberly Ruth,Zakir Durumeric

2024-04-18

Abstract:Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.

Software Engineering,Cryptography and Security

Xiaoyan Zhou,Feiran Liang,Zhaojie Xie,Yang Lan,Wenjia Niu,Jiqiang Liu,Haining Wang,Qiang Li

2024-04-17

Abstract:Package managers such as NPM, Maven, and PyPI play a pivotal role in open-source software (OSS) ecosystems, streamlining the distribution and management of various freely available packages. The fine-grained details within software packages can unveil potential risks within existing OSS ecosystems, offering valuable insights for detecting malicious packages. In this study, we undertake a large-scale empirical analysis focusing on fine-grained information (FGI): the metadata, static, and dynamic functions. Specifically, we investigate the FGI usage across a diverse set of 50,000+ legitimate and 1,000+ malicious packages. Based on this diverse data collection, we conducted a comparative analysis between legitimate and malicious packages. Our findings reveal that (1) malicious packages have less metadata content and utilize fewer static and dynamic functions than legitimate ones; (2) malicious packages demonstrate a higher tendency to invoke HTTP/URL functions as opposed to other application services, such as FTP or SMTP; (3) FGI serves as a distinguishable indicator between legitimate and malicious packages; and (4) one dimension in FGI has sufficient distinguishable capability to detect malicious packages, and combining all dimensions in FGI cannot significantly improve overall performance.

Software Engineering,Cryptography and Security

O. V. Vyshnivskyi,

DOI: https://doi.org/10.31673/2518-7678.2023.020909

2023-01-01

Abstract:The article is devoted to critical aspects during the implementation of Web-3.0 technology. The task is set: based on the analysis of the implementation of Web-3.0 technology to solve a number of tasks, namely: blockchain-based decentralization; creation of general accessibility; increasing trust in sites; increasing the security of personal information from hackers; ensuring true ownership of authors' information; lack of censorship; improvement of social interaction; use of the Internet of Things is compatible with virtual or augmented reality; application of artificial intelligence � consider a zero-day exploit for Web-3.0. A zero-day exploit indicates that the vendor or developer has just become aware of the vulnerability and has "zero days" to fix it. A zero-day attack occurs as a result of attackers exploiting a vulnerability (critical points) before the developers managed to fix it. To solve this problem in the article: a description of the main differences between the Web-3.0 construction architecture and Web-2.0 is made; the analysis of the tasks of Oprah Winfrey Network of the Web-3.0 architecture was carried out; consider the possibilities of: external interface (design and interface of web applications), server part (based on decentralized technologies, primarily dApp, which uses the advantages of blockchain: transparency, reliability and immutability of data.), database (stores data about users, their messages , tags and comments); an analysis of possible threats and vulnerabilities due to the introduction of Web-3.0 technology before the start of the zero-day exploit was performed. Based on the performed analysis, the following conclusions are drawn: that the vulnerability is related to scalability, limited transaction throughput and computing power, security, complexity, compatibility; that Web-3.0 creates many conditions that can be useful to people, but the introduction of new Web-3.0 capabilities leads to the emergence of new threats or vulnerabilities that can be used by attackers to harm people. This requires considering the possible impact of threats, identifying possible vulnerabilities in Web-3.0 technology before the start of a zero-day exploit, that is, it requires the need to investigate the possibility of the appearance of new vulnerabilities.

Govind Hanswal,Sachin Jain,Blessy Thankachan

DOI: https://doi.org/10.48175/ijarsct-10715

2023-05-29

Abstract:The emergence of Web3 technologies is transforming the internet and its applications. Web3 refers to the next generation of the internet, which is built on blockchain technology and decentralized applications. This new version of the internet is expected to be more secure, transparent, and open than the current Web2, which is characterized by centralized control and data ownership.The review paper provides an overview of Web3 and its significance in the context of the internet and blockchain technology. It explains how Web3 is different from Web1 and Web2, and why it has the potential to revolutionize various industries. Web1 was the first version of the internet, which was static and read-only. Web2, on the other hand, introduced interactive and social elements to the internet, but it still relies on centralized control and data ownership. The review paper goes on to explain the various technologies associated with Web3, such as blockchain technology, decentralized applications (dApps), and smart contracts. Blockchain technology is the backbone of Web3 and enables decentralized data storage and transaction processing. Decentralized applications (dApps) are software programs that run on a blockchain and enable peer-to-peer transactions without the need for intermediaries. Smart contracts are self-executing contracts that automatically enforce the rules and regulations of an agreement. The review paper also explores the rise of decentralized finance (DeFi) and its impact on the financial sector. DeFi is a subcategory of dApps that enables decentralized financial services such as lending, borrowing, and trading without the need for traditional financial intermediaries. The report discusses how DeFi is disrupting the traditional financial sector and opening new opportunities for innovation and financial inclusion. The review paper further discusses the potential use cases for Web3 in industries such as gaming, social media, supply chain management, and identity verification. For example, Web3 can enable new models of gaming that are more transparent and fairer for players, as well as provide a more secure and private social media experience. In supply chain management, Web3 can enable greater transparency and traceability of products, which can improve efficiency and reduce fraud. In identity verification, Web3 can provide a decentralized and secure way for individuals to prove their identity without relying on centralized authorities.Finally, the review paper discusses the challenges and limitations of Web3 technologies, such as scalability, interoperability, and user adoption. Despite these challenges, the report provides a vision for the future of Web3 and its potential impact on society.Web3 has the potential to create a more open, decentralized, and equitable internet that empowers individuals and communities.

English Else

Wei Tang,Zhengzi Xu,Chengwei Liu,Jiahui Wu,Shouguo Yang,Yi Li,Ping Luo,Yang Liu

DOI: https://doi.org/10.1145/3551349.3560432

2022-09-20

Abstract:Third-party libraries (TPLs) are frequently reused in software to reduce development cost and the time to market. However, external library dependencies may introduce vulnerabilities into host applications. The issue of library dependency has received considerable critical attention. Many package managers, such as Maven, Pip, and NPM, are proposed to manage TPLs. Moreover, a significant amount of effort has been put into studying dependencies in language ecosystems like Java, Python, and JavaScript except C/C++. Due to the lack of a unified package manager for C/C++, existing research has only few understanding of TPL dependencies in the C/C++ ecosystem, especially at large scale. Towards understanding TPL dependencies in the C/C++ecosystem, we collect existing TPL databases, package management tools, and dependency detection tools, summarize the dependency patterns of C/C++ projects, and construct a comprehensive and precise C/C++ dependency detector. Using our detector, we extract dependencies from a large-scale database containing 24K C/C++ repositories from GitHub. Based on the extracted dependencies, we provide the results and findings of an empirical study, which aims at understanding the characteristics of the TPL dependencies. We further discuss the implications to manage dependency for C/C++ and the future research directions for software engineering researchers and developers in fields of library development, software composition analysis, and C/C++package manager.

Software Engineering

Shehan Edirimannage,Charitha Elvitigala,Asitha Kottahachchi Kankanamge Don,Wathsara Daluwatta,Primal Wijesekara,Ibrahim Khalil

2024-11-12

Abstract:With the wave of high-profile supply chain attacks targeting development and client organizations, supply chain security has recently become a focal point. As a result, there is an elevated discussion on securing the development environment and increasing the transparency of the third-party code that runs in software products to minimize any negative impact from third-party code in a software product. However, the literature on secure software development lacks insight into how the third-party development tools used by every developer affect the security posture of the developer, the development organization, and, eventually, the end product. To that end, we have analyzed 52,880 third-party VS Code extensions to understand their threat to the developer, the code, and the development organizations. We found that ~5.6\% of the analyzed extensions have suspicious behavior, jeopardizing the integrity of the development environment and potentially leaking sensitive information on the developer's product. We also found that the VS Code hosting the third-party extensions lacks practical security controls and lets untrusted third-party code run unchecked and with questionable capabilities. We offer recommendations on possible avenues for fixing some of the issues uncovered during the analysis.

Cryptography and Security,Software Engineering

Chinenye Okafor,Taylor R. Schorlemmer,Santiago Torres-Arias,James C. Davis

2024-06-14

Abstract:This paper systematizes knowledge about secure software supply chain patterns. It identifies four stages of a software supply chain attack and proposes three security properties crucial for a secured supply chain: transparency, validity, and separation. The paper describes current security approaches and maps them to the proposed security properties, including research ideas and case studies of supply chains in practice. It discusses the strengths and weaknesses of current approaches relative to known attacks and details the various security frameworks put out to ensure the security of the software supply chain. Finally, the paper highlights potential gaps in actor and operation-centered supply chain security techniques

Cryptography and Security,Software Engineering

Xin Tan,Kai Gao,Minghui Zhou,Li Zhang

DOI: https://doi.org/10.1145/3510003.3510199

2022-01-01

Abstract:Deep learning becomes the driving force behind many contemporary technologies and has been successfully applied in many fields. Through software dependencies, a multi-layer supply chain (SC) with a deep learning framework as the core and substantial down-stream projects as the periphery has gradually formed and is constantly developing. However, basic knowledge about the structure and characteristics of the SC is lacking, which hinders effective support for its sustainable development. Previous studies on software SC usually focus on the packages in different registries without paying attention to the SCs derived from a single project. We present an empirical study on two deep learning SCs: TensorFlow and PyTorch SCs. By constructing and analyzing their SCs, we aim to understand their structure, application domains, and evolutionary factors. We find that both SCs exhibit a short and sparse hierarchy structure. Overall, the relative growth of new projects increases month by month. Projects have a tendency to attract downstream projects shortly after the release of their packages, later the growth becomes faster and tends to stabilize. We propose three criteria to identify vulnerabilities and identify 51 types of packages and 26 types of projects involved in the two SCs. A comparison reveals their similarities and differences, e.g., TensorFlow SC provides a wealth of packages in experiment result analysis, while PyTorch SC contains more specific framework packages. By fitting the GAM model, we find that the number of dependent packages is significantly negatively associated with the number of downstream projects, but the relationship with the number of authors is nonlinear. Our findings can help further open the "black box" of deep learning SCs and provide insights for their healthy and sustainable development.

Wenkai Li,Jiuyang Bu,Xiaoqi Li,Xianyi Chen

DOI: https://doi.org/10.48550/arXiv.2205.09524

2022-05-19

Abstract:Decentralized finance (DeFi) in Ethereum is a financial ecosystem built on the blockchain that has locked over 200 billion USD until April 2022. All transaction information is transparent and open when transacting through the DeFi protocol, which has led to a series of attacks. Several studies have attempted to optimize it from both economic and technical perspectives. However, few works analyze the vulnerabilities and optimizations of the entire DeFi system. In this paper, we first systematically analyze vulnerabilities related to DeFi in Ethereum at several levels, then we investigate real-world attacks. Finally, we summarize the achievements of DeFi optimization and provide some future directions.

Cryptography and Security

Xiaoyan Zhou,Ying Zhang,Wenjia Niu,Jiqiang Liu,Haining Wang,Qiang Li

2024-04-21

Abstract:The open-source software (OSS) ecosystem suffers from various security threats and risks, and malicious packages play a central role in software supply chain (SSC) attacks. Although malware research has a history of over thirty years, less attention has been paid to OSS malware. Its existing research has three limitations: a lack of high-quality datasets, malware diversity, and attack campaign context. In this paper, we first build and curate the largest dataset of 23,425 malicious packages from scattered online sources. We then propose a knowledge graph to represent the OSS malware corpus and conduct malicious package analysis in the wild. Our main findings include (1) it is essential to collect malicious packages from various online sources because there is little data overlap between different sources; (2) despite the sheer volume of SSC attack campaigns, many malicious packages are similar, and unknown/sophisticated attack behaviors have yet to emerge or be detected; (3) OSS malicious package has its distinct life cycle, denoted as {changing->release->detection->removal}, and slightly changing the package (different name) is a widespread attack manner; (4) while malicious packages often lack context about how and who released them, security reports disclose the information about corresponding SSC attack campaigns.

Cryptography and Security,Software Engineering

Qin Wang,Rujia Li,Qi Wang,Shiping Chen,Mark Ryan,Thomas Hardjono

DOI: https://doi.org/10.48550/arXiv.2206.08821

2022-06-17

Abstract:Web3 is the most hyped concept from 2020 to date, greatly motivating the prosperity of the Internet of Value and Metaverse. However, no solid evidence stipulates the exact definition, criterion, or standard in the sense of such a buzzword. To fill the gap, we aim to clarify the term in this work. We narrow down the connotation of Web3 by separating it from high-level controversy argues and, instead, focusing on its protocol, architecture, and evaluation from the perspective of blockchain fields. Specifically, we have identified all potential architectural design types and evaluated each of them by employing the scenario-based architecture evaluation method. The evaluation shows that existing applications are neither secure nor adoptable as claimed. Meanwhile, we also discuss opportunities and challenges surrounding the Web3 space and answer several prevailing questions from communities. A primary result is that Web3 still relies on traditional internet infrastructure, not as independent as advocated. This report, as of June 2022, provides the first strict research on Web3 in the view of blockchain. We hope that this work would provide a guide for the development of future Web3 services.

Cryptography and Security

Csar Soto-Valero,Martin Monperrus,Benoit Baudry,Cesar Soto-Valero

DOI: https://doi.org/10.1109/mc.2022.3175542

2022-09-30

IEEE Computer

Abstract:Ethereum is the single largest programmable blockchain platform today. Ethereum nodes operate the blockchain, relying on a vast supply chain of third-party software dependencies. In this article, we perform an analysis of the software supply chain of Java Ethereum nodes and distill the challenges of maintaining and securing this blockchain technology.

English Else

Carmine Cesarano,Vivi Andersson,Roberto Natella,Martin Monperrus

DOI: https://doi.org/10.1145/3689944.3696166

2024-09-17

Abstract:In Go, the widespread adoption of open-source software has led to a flourishing ecosystem of third-party dependencies, which are often integrated into critical systems. However, the reuse of dependencies introduces significant supply chain security risks, as a single compromised package can have cascading impacts. Existing supply chain attack taxonomies overlook language-specific features that can be exploited by attackers to hide malicious code. In this paper, we propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle. Our taxonomy identifies patterns in which language-specific Go features, intended for benign purposes, can be misused to propagate malicious code stealthily through supply chains. Additionally, we introduce GoSurf, a static analysis tool that analyzes the attack surface of Go packages according to our proposed taxonomy. We evaluate GoSurf on a corpus of widely used, real-world Go packages. Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem, allowing developers and security analysts to prioritize code audit efforts and uncover hidden malicious behaviors.

Cryptography and Security

Cheng Huang,Nannan Wang,Ziyan Wang,Siqi Sun,Lingzi Li,Junren Chen,Qianchong Zhao,Jiaxuan Han,Zhen Yang,Lei Shi

DOI: https://doi.org/10.48550/arXiv.2403.08334

2024-03-13

Abstract:With the growing popularity of modularity in software development comes the rise of package managers and language ecosystems. Among them, npm stands out as the most extensive package manager, hosting more than 2 million third-party open-source packages that greatly simplify the process of building code. However, this openness also brings security risks, as evidenced by numerous package poisoning incidents. In this paper, we synchronize a local package cache containing more than 3.4 million packages in near real-time to give us access to more package code details. Further, we perform manual inspection and API call sequence analysis on packages collected from public datasets and security reports to build a hierarchical classification framework and behavioral knowledge base covering different sensitive behaviors. In addition, we propose the DONAPI, an automatic malicious npm packages detector that combines static and dynamic analysis. It makes preliminary judgments on the degree of maliciousness of packages by code reconstruction techniques and static analysis, extracts dynamic API call sequences to confirm and identify obfuscated content that static analysis can not handle alone, and finally tags malicious software packages based on the constructed behavior knowledge base. To date, we have identified and manually confirmed 325 malicious samples and discovered 2 unusual API calls and 246 API call sequences that have not appeared in known samples.

Cryptography and Security