Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks

Ohm, Marc; Plate, Henrik; Sykosch, Arnold; Meier, Michael

doi:10.1007/978-3-030-52683-2_2

Cited by 113 publications

(116 citation statements)

References 6 publications

Supporting

Mentioning

101

Contrasting

Order By: Relevance

“…Known malicious examples. We used the malware dataset collected by Ohm et al [7]. The dataset contains 34 malicious artifacts of 23 packages that were collected for both real and research purpose attacks between November 2015 and November 2019.…”

Section: Preliminary Findingsmentioning

confidence: 99%

Towards Using Source Code Repositories to Identify Software Supply Chain Attacks

Pashchenko

Massacci

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems, makes them an attractive target for software supply chain attacks. By injecting malicious code into legitimate packages, attackers were known to gain more than 100 000 downloads of compromised packages. Current approaches for identifying malicious payloads are resource demanding. Therefore, they might not be applicable for the on-the-fly detection of suspicious artifacts being uploaded to the package repository. In this respect, we propose to use source code repositories (e.g., those in Github) for detecting injections into the distributed artifacts of a package. Our preliminary evaluation demonstrates that the proposed approach captures known attacks when malicious code was injected into PyPI packages. The analysis of the 2666 software artifacts (from all versions of the top ten most downloaded Python packages in PyPI) suggests that the technique is suitable for lightweight analysis of real-world packages.

show abstract

Section: Preliminary Findingsmentioning

confidence: 99%

Towards Using Source Code Repositories to Identify Software Supply Chain Attacks

Pashchenko

Massacci

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…These attacks modify the targeted program so that it is still validly signed by its owner. The attacker simply injects his code into one of the software's dependencies [21]. Theoretically, an attacker can do this injection in any given node in the software's dependency tree.…”

Section: Software Supply-chain Attacksmentioning

confidence: 99%

“…Furthermore, if there is a vulnerability in one of the popular packages, then the issue will propagate through all the other libraries that depend on it. This concept is also known as software supply-chain security, which refers to outsiders accessing the final project [11,21]. Software supply-chain security is another research field but seems to be heavily related to OS registry security.…”

Section: Introductionmentioning

confidence: 99%

A Survey on Common Threats in npm and PyPi Registries

Kaplan

Qian

2021

Preprint

View full text Add to dashboard Cite

Software engineers regularly use JavaScript and Python for both front-end and back-end automation tasks. On top of JavaScript and Python, there are several frameworks to facilitate automation tasks further. Some of these frameworks are Node Manager Package (npm) and Python Package Index (PyPi), which are open source (OS) package libraries. The public registries npm and PyPi use to host packages allow any user with a verified email to publish code. The lack of a comprehensive scanning tool when publishing to the registry creates security concerns. Users can report malicious code on the registry; however, attackers can still cause damage until they remove their tool from the platform. Furthermore, several packages depend on each other, making them more vulnerable to a bad package in the dependency tree. The heavy code reuse creates security artifacts developers have to consider, such as the package reach. This project will illustrate a high-level overview of common risks associated with OS registries and the package dependency structure. There are several attack types, such as typosquatting and combosquatting, in the OS package registries. Outdated packages pose a security risk, and we will examine the extent of technical lag present in the npm environment. In this paper, our main contribution consists of a survey of common threats in OS registries. Afterward, we will offer countermeasures to mitigate the risks presented. These remedies will heavily focus on the applications of Machine Learning (ML) to detect suspicious activities. To the best of our knowledge, the ML-focused countermeasures are the first proposed possible solutions to the security problems listed. In addition, this project is the first survey of threats in npm and PyPi, although several studies focus on a subset of threats.

show abstract

“…This build pipeline is frequently automated with continuous integration and deployment (CI/CD) tools like Jenkins and AWS CodeDeploy, which can automatically pull the latest versions of components from their source repositories, integrate them into the build environment, and deploy the final build -all within minutes or less. While instrumental in enabling the breakneck pace of development that users have come to expect, these highly-automated software supply chains can rapidly propagate the effects of human errors (e.g., accidental use of an outdated library) and have become attractive targets for bad actors looking to quietly insert backdoors, sabotage tools, and even cryptocurrency miners into otherwise-legitimate cloud software via third-party libraries or compromised compilers [2,14,17].…”

Section: Background and Related Workmentioning

confidence: 99%