Improving Critical Infrastructure Protection by Enhancing Software Acquisition Process Through Blockchain

Marjanović, Jelena; Dalcekovic, Nikola; Sladić, Goran

doi:10.1145/3459960.3459973

Cited by 7 publications

(4 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A comparable feature is not present in most compiled languages, like Java, C/C++ or Ruby. In such cases, Integrity check of dependencies through cryptographic hashes [9], [36], [83], [109], [131], [135], [138] 3.3 3.0 2.5 2.0 1.32 Y N 2.3 2.0 Maintain detailed SBOM [5], [8], [53], [183], [184] and perform SCA [8], [31], [43], [48], [51], [53], [55] [42], [123], [185] Code signing [47], [83], [109], [135], [138], [141] Application Security Testing [34], [39], [41], [46], [55], [56], [58], [66], [80], [122], [134], [187] 4 execution is achieved either at runtime, e.g., by embedding the payload in a specific function or initializer, or by poisoning test routines [19]. Differences also exist in regards to code obfuscation and malware detection.…”

Section: Discussionmentioning

confidence: 99%

“…(AV-000) Conduct Open-Source Supply Chain Attack SL: [18], [19], [31]- [56] (AV-100) Develop and Advertise Distinct Malicious Package from Scratch SL: [16], [19], [57], [58] GL: [59]- [65] (AV-200) Create Name Confusion with Legitimate Package SL: [16], [58], [66], [67] GL: [68]- [70] (AV-201) Combosquatting SL: [71] GL: [72], [73] (AV-202) Altering Word Order SL: [74] (AV-203) Manipulating Word Separators SL: [74] (AV-204) Typosquatting SL: [15], [71], [74]- [76] GL: [77], [78] (AV-205) Built-In Package SL: [74] GL: [79] (AV-206) Brandjacking SL: [74] (AV-207) Similarity Attack SL: [71] (AV-001) Subvert Legitimate Package (AV-300) Inject into Sources of Legitimate Package SL: [19], [80]- [85] (AV-301) Introduce Malicious Code through Hypocrite Merge Request SL: [11], [85]- [87] GL: [88] (AV-304) Make Immature Vulnerability Exploitable SL: [11], [89] GL: [88] (AV-305) Exploit Rendering Weakness SL: [10] (AV-306) Exploit Unicode Bidirectional Algorithm SL: [10] GL:…”

Section: Appendix a Safeguards Against Oss Supply Chain Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Taxonomy of Attacks on Open-Source Software Supply Chains

Ladisa¹,

Plate²,

Martínez³

et al. 2022

Preprint

View full text Add to dashboard Cite

The widespread dependency on open-source software makes it a fruitful target for malicious actors, as demonstrated by recurring attacks. The complexity of today's opensource supply chains results in a significant attack surface, giving attackers numerous opportunities to reach the goal of injecting malicious code into open-source artifacts that is then downloaded and executed by victims.This work proposes a general taxonomy for attacks on opensource supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution. Taking the form of an attack tree, it covers 107 unique vectors, linked to 94 realworld incidents, and mapped to 33 mitigating safeguards.User surveys conducted with 17 domain experts and 134 software developers positively validated the correctness, comprehensiveness and comprehensibility of the taxonomy, as well as its suitability for various use-cases. Survey participants also assessed the utility and costs of the identified safeguards, and whether they are used.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Appendix a Safeguards Against Oss Supply Chain Attacksmentioning

confidence: 99%

Taxonomy of Attacks on Open-Source Software Supply Chains

Ladisa¹,

Plate²,

Martínez³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…In addition, future work will include building a prototype application and testing it on a case study in a company. This research is part of a series intended to improve critical infrastructure protection in various forms using conventional as well as modern approaches such as blockchain [71].…”

Section: Discussionmentioning

confidence: 99%

Towards Cross-Standard Compliance Readiness: Security Requirements Model for Smart Grid

et al. 2021

Self Cite

View full text Add to dashboard Cite

The critical infrastructure is constantly under cyber and physical threats. Applying security controls without guidance or traceability can create a false sense of security. Security standards facilitate security knowledge and control best practices in a more systematic way. However, the number of standards is continually increasing. Product providers that operate in multiple geographical regions often face the obligation to comply with multiple standards simultaneously. This introduces the problem of the convenient interpretation of different standards. Thus, a comprehensive analysis of the requirements from different security standards and guidelines applicable to the smart grid has been performed to detect similarities that can be shaped into entities of the conceptual model for requirement representation. The purpose of the model—presented in a form of a Unified Modeling Language (UML) class diagram—is to give product providers a canonical way to map requirements from arbitrary standards, guidelines, and regulations and accelerate the cross-standard compliance readiness by defining priority for requirement implementation. In addition, the research showed that multiple vectors should impact the priority of the implementation of the security controls defined through the requirements: domain affiliation, the essence of the requirement, associated threats, risks, and social dependencies between actors involved in the implementation. To examine the model correctness, NISTIR 7628—de facto smart grid standard—was used to provide insights into how the model would be used for requirements implementation tracking. The structure of individual requirements was analyzed to detect the building blocks and extract relevant parts that can be mapped to the model components. Further, all requirements were classified into one of the defined domains to provide the basis for referencing similar requirements from different standards. Finally, one arbitrary requirement was used to demonstrate model usage, and depict all available information that can be provided to the users in a custom-made scenario where the need arises to have simultaneous alignment with three standards—NISTIR 7628, NIST 800-53, and IEC 62443-3-3.

show abstract

“…Blockchain has been applied to SSC security (e.g., [33]- [35]. Especially, Marjanović et al [36] used blockchain-based techniques to record the software composition details. On the other hand, there are limited scholarly papers on SBOMs.…”

Section: Related Workmentioning

confidence: 99%

An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead

Xia¹,

Bi²,

Xing³

et al. 2023

Preprint

View full text Add to dashboard Cite

The rapid growth of software supply chain attacks has attracted considerable attention to software bill of materials (SBOM). SBOMs are a crucial building block to ensure the transparency of software supply chains that helps improve software supply chain security. Although there are significant efforts from academia and industry to facilitate SBOM development, it is still unclear how practitioners perceive SBOMs and what are the challenges of adopting SBOMs in practice. Furthermore, existing SBOM-related studies tend to be ad-hoc and lack software engineering focuses. To bridge this gap, we conducted the first empirical study to interview and survey SBOM practitioners. We applied a mixed qualitative and quantitative method for gathering data from 17 interviewees and 65 survey respondents from 15 countries across five continents to understand how practitioners perceive the SBOM field. We summarized 26 statements and grouped them into four topics on SBOM's states of practice. Based on the study results, we derived a goal model and highlighted future directions where practitioners can put in their effort.Index Terms-software bill of materials, SBOM, bill of materials, responsible AI, empirical study.

show abstract

Improving Critical Infrastructure Protection by Enhancing Software Acquisition Process Through Blockchain

Cited by 7 publications

References 10 publications

Taxonomy of Attacks on Open-Source Software Supply Chains

Taxonomy of Attacks on Open-Source Software Supply Chains

Towards Cross-Standard Compliance Readiness: Security Requirements Model for Smart Grid

An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead

Contact Info

Product

Resources

About