SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties

Okafor, Chinenye; Schorlemmer, Taylor R.; Torres-Arias, Santiago; Davis, James N.

doi:10.1145/3560835.3564556

Cited by 15 publications

(2 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Reusability and trustworthiness problems in software package registries impact the relevant ecosystems [10][11][12]. Much is known about the practices and challenges of reusing traditional software packages [13][14][15], but how this knowledge transfers to the reuse of PTM packages has not been investigated. Existing software engineering knowledge describes how large companies manage private models [16,17].…”

Section: Introductionmentioning

confidence: 99%

An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry

Jiang¹,

Synovic²,

Hyatt³

et al. 2023

Preprint

View full text Add to dashboard Cite

Deep Neural Networks (DNNs) are being adopted as components in software systems. Creating and specializing DNNs from scratch has grown increasingly difficult as stateof-the-art architectures grow more complex. Following the path of traditional software engineering, machine learning engineers have begun to reuse large-scale pre-trained models (PTMs) and fine-tune these models for downstream tasks. Prior works have studied reuse practices for traditional software packages to guide software engineers towards better package maintenance and dependency management. We lack a similar foundation of knowledge to guide behaviors in pre-trained model ecosystems.In this work, we present the first empirical investigation of PTM reuse. We interviewed 12 practitioners from the most popular PTM ecosystem, Hugging Face, to learn the practices and challenges of PTM reuse. From this data, we model the decision-making process for PTM reuse. Based on the identified practices, we describe useful attributes for model reuse, including provenance, reproducibility, and portability. Three challenges for PTM reuse are missing attributes, discrepancies between claimed and actual performance, and model risks. We substantiate these identified challenges with systematic measurements in the Hugging Face ecosystem. Our work informs future directions on optimizing deep learning ecosystems by automated measuring useful attributes and potential attacks, and envision future research on infrastructure and standardization for model registries.

show abstract

Section: Introductionmentioning

confidence: 99%

An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry

Jiang¹,

Synovic²,

Hyatt³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Aplicac ¸ões que lidam com dados sensíveis, por exemplo, precisam da garantia que seus dados serão protegidos. Ameac ¸as cada vez mais comuns à cadeias de suprimento de software (com crescimento de até 650% cumulativos até 2021 [Okafor et al 2022]), como o ataque à SolarWinds em 2020 [Peisert et al 2021], enfatizam essa preocupac ¸ão. Medidas de seguranc ¸a não são cobertas por esse artigo, mas guias fortes como SLSA da Google e Secure Software Factory da CNCF podem ser seguidos para fortalecer a seguranc ¸a de aplicac ¸ões sensíveis na nuvem, e potencialmente permitir o uso de aplicac ¸ões assim em um modelo oportunista.…”

Section: Introduc ¸ãOunclassified

Arquitetura para escalonamento oportunístico na nuvem com qualidade de serviço

Albuquerque¹,

Gama²,

Brito³

2023

Anais Estendidos Do XLI Simpósio Brasileiro De Redes De Computadores E Sistemas Distribuídos (SBRC Estendido 2023)

View full text Add to dashboard Cite

O uso de computação oportunista na nuvem é popular por permitir hospedar aplicações com processamento em lotes a custo reduzido. Todavia, esse modelo não garante disponibilidade, o que restringe a qualidade de serviço dessas aplicações. Além disso, graças à alta oscilação de preços, atingir uma disponibilidade ótima com esse tipo de serviço requer despriorizar potencial econômico. Este artigo propõe um escalonador oportunístico modular para Kubernetes que equilibra custos de nós oportunistas e atrasos no processamento para garantir qualidade de serviço. Com base em preços de 2021 da AWS, a solução proporcionou economia significativa de até 50% em relação ao custo de instâncias sob demanda, permitindo processamento em tempo quase real.

show abstract