Marc Ohm
ABSTRACT
Third-party dependencies may introduce security risks to the software supply chain and hence yield harm to their dependent software. There are many known cases of malicious open source packages posing risks to developers and end users. However, while efforts are made to detect vulnerable open source packages, malicious packages are not yet considered explicitly. In order to tackle this problem we perform an exploratory case study on previously occurred attacks on the software supply chain with respect to observable artifacts created. Based on gained insights, we propose Buildwatch, a framework for dynamic analysis of software and its third-party dependencies. We noticed that malicious packages introduce a significant amount of new artifacts during installation when compared to benign versions of the same package. The paper presents a first analysis of observable artifacts of malicious packages as well as a possible mitigation strategy that might lead to more insight in long term.
- Len Bass, Ralph Holz, Paul Rimba, An Binh Tran, and Liming Zhu. 2015. Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering. IEEE, 4--7.Google Scholar
Digital Library
- Martin Čarnogurskỳ. 2019. Attacks on Package Managers. Master's thesis. Masaryk University, Faculty of Informatics.Google Scholar
- Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2020. Measuring and preventing supply chain attacks on package managers. arXiv preprint arXiv:2002.01139 (2020).Google Scholar
- Paul M Duvall, Steve Matyas, and Andrew Glover. 2007. Continuous integration: improving software quality and reducing risk. Pearson Education.Google Scholar
- Stichting Cuckoo Foundation. 2019. Cuckoo Sandbox - Automated Malware Analysis. Retrieved February 21th, 2020 from https://cuckoosandbox.orgGoogle Scholar
- Th. Hunter II. 2018. Compromised npm Package: event-stream. Retrieved February 25th, 2020 from https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502Google Scholar
- OASIS. 2017. STLX™ Version 2.0. Part 3: Cyber Observable Core Concepts. https://docs.oasis-open.org/cti/stix/v2.0/cs01/part3-cyber-observable-core/stix-v2.0-cs01-part3-cyber-observable-core.html.Google Scholar
- Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer.Google ScholarDigital Library
- Tom Preston-Werner. 2020. Semantic Versioning 2.0.0. Retrieved April 15th, 2020 from https://semver.org/Google Scholar
- strace. 2020. strace - the linux syscall tracer. Retrieved February 21th, 2020 from https://strace.io/Google Scholar
- Symantec. 2019. Internet Security Threat Report. Retrieved February 25th, 2020 from https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdfGoogle Scholar
- Nikolai Philipp Tschacher. 2016. Typosquatting in programming language package managers. Master's thesis. Universität Hamburg, Fachbereich Informatik.Google Scholar
- Ruturaj K Vaidya, Lorenzo De Carli, Drew Davidson, and Vaibhav Rastogi. 2019. Security issues in language-based sofware ecosystems. arXiv preprint arXiv:1903.02613 (2019).Google Scholar
Index Terms
Towards detection of software supply chain attacks by forensic artifacts
Recommendations
Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks
Detection of Intrusions and Malware, and Vulnerability AssessmentAbstractA software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the ...
SoK: Practical Detection of Software Supply Chain Attacks
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityDetecting malicious packages used in software supply chain attacks has become increasingly important in recent years. Researchers are constantly developing and evaluating different tools and approaches. However, a comparison of all scientific ...
On the Feasibility of Detecting Software Supply Chain Attacks
MILCOM 2021 - 2021 IEEE Military Communications Conference (MILCOM)The Supply chain attack is the stealthy and sophisticated cyberattack that aims to compromise a target by exploiting weaknesses and vulnerabilities in its supply chain. Recent supply chain attacks (e.g., SolarWinds attack) have compromised some of the ...
Comments