ACM Digital Library home
ACM home
Advanced Search
10.1145/3407023.3409183acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Towards detection of software supply chain attacks by forensic artifacts

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityAugust 2020Article No.: 65Pages 1–6https://doi.org/10.1145/3407023.3409183
Published:25 August 2020Publication History
  • 13citation
  • 754
  • Downloads
Metrics
Total Citations13
Total Downloads754
Last 12 Months312
Last 6 weeks46

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Towards detection of software supply chain attacks by forensic artifacts
Pages 1–6
PreviousChapterNextChapter

ABSTRACT

Third-party dependencies may introduce security risks to the software supply chain and hence yield harm to their dependent software. There are many known cases of malicious open source packages posing risks to developers and end users. However, while efforts are made to detect vulnerable open source packages, malicious packages are not yet considered explicitly. In order to tackle this problem we perform an exploratory case study on previously occurred attacks on the software supply chain with respect to observable artifacts created. Based on gained insights, we propose Buildwatch, a framework for dynamic analysis of software and its third-party dependencies. We noticed that malicious packages introduce a significant amount of new artifacts during installation when compared to benign versions of the same package. The paper presents a first analysis of observable artifacts of malicious packages as well as a possible mitigation strategy that might lead to more insight in long term.

References

  1. Len Bass, Ralph Holz, Paul Rimba, An Binh Tran, and Liming Zhu. 2015. Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering. IEEE, 4--7.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Martin Čarnogurskỳ. 2019. Attacks on Package Managers. Master's thesis. Masaryk University, Faculty of Informatics.Google ScholarGoogle Scholar
  3. Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2020. Measuring and preventing supply chain attacks on package managers. arXiv preprint arXiv:2002.01139 (2020).Google ScholarGoogle Scholar
  4. Paul M Duvall, Steve Matyas, and Andrew Glover. 2007. Continuous integration: improving software quality and reducing risk. Pearson Education.Google ScholarGoogle Scholar
  5. Stichting Cuckoo Foundation. 2019. Cuckoo Sandbox - Automated Malware Analysis. Retrieved February 21th, 2020 from https://cuckoosandbox.orgGoogle ScholarGoogle Scholar
  6. Th. Hunter II. 2018. Compromised npm Package: event-stream. Retrieved February 25th, 2020 from https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502Google ScholarGoogle Scholar
  7. OASIS. 2017. STLX Version 2.0. Part 3: Cyber Observable Core Concepts. https://docs.oasis-open.org/cti/stix/v2.0/cs01/part3-cyber-observable-core/stix-v2.0-cs01-part3-cyber-observable-core.html.Google ScholarGoogle Scholar
  8. Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Tom Preston-Werner. 2020. Semantic Versioning 2.0.0. Retrieved April 15th, 2020 from https://semver.org/Google ScholarGoogle Scholar
  10. strace. 2020. strace - the linux syscall tracer. Retrieved February 21th, 2020 from https://strace.io/Google ScholarGoogle Scholar
  11. Symantec. 2019. Internet Security Threat Report. Retrieved February 25th, 2020 from https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdfGoogle ScholarGoogle Scholar
  12. Nikolai Philipp Tschacher. 2016. Typosquatting in programming language package managers. Master's thesis. Universität Hamburg, Fachbereich Informatik.Google ScholarGoogle Scholar
  13. Ruturaj K Vaidya, Lorenzo De Carli, Drew Davidson, and Vaibhav Rastogi. 2019. Security issues in language-based sofware ecosystems. arXiv preprint arXiv:1903.02613 (2019).Google ScholarGoogle Scholar

Index Terms

  1. Towards detection of software supply chain attacks by forensic artifacts

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        Get this Publication

        • Published in

          cover image ACM Other conferences
          ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security
          August 2020
          1073 pages
          ISBN:9781450388337
          DOI:10.1145/3407023
          • Program Chairs:
          • Melanie Volkamer,
          • Christian Wressnegger

          Copyright © 2020 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 25 August 2020

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Author Tags

          Qualifiers

          • research-article

          Acceptance Rates

          Overall Acceptance Rate 228 of 451 submissions, 51%

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        View Table of Contents
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!