Taxonomy of Attacks on Open-Source Software Supply Chains

Ladisa, Piergiorgio; Plate, Henrik; Martínez, Matías; Barais, Olivier

doi:10.48550/arxiv.2204.04008

Cited by 4 publications

(3 citation statements)

References 50 publications

(91 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Attackers also compromise the repositories themselves and not just individual packages [22], [31]. Recent work has created a comprehensive taxonomy of attacks on the OSS supply chain [32].…”

Section: A Software Supply Chain Attacksmentioning

confidence: 99%

“…An alert associated with a malicious package is considered a true positive, while an alert on a benign package is a false positive. a) Tool selection: We used the work of Ladisa et al [32] and surveyed existing literature to create a list of candidate Python malware detection tools. Notably, we did not include vulnerability scanning tools such as Security.py, Hawkeye, and Salus because these packages (by design) tend to have many findings on benign code, and this work studies only deliberately malicious software.…”

Section: A Approachmentioning

confidence: 99%

See 1 more Smart Citation

Bad Snakes: Understanding and Improving Python Package Index Malware Scanning

Newman

Meyers

2023

2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Open-source, community-driven package repositories see thousands of malware packages each year, but do not currently run automated malware detection systems. In this work, we explore the security goals of the repository administrators and the requirements for deploying such malware scanners via a case study of the Python ecosystem and PyPI repository, including interviews with administrators and maintainers. Further, we evaluate existing malware detection techniques for deployment in this setting by creating a benchmark dataset and comparing several existing tools: the malware checks implemented in PyPI, Bandit4Mal, and OSSGadget's OSS Detect Backdoor.We find that repository administrators have exacting requirements for such malware detection tools. Specifically, they consider a false positive rate of even 0.1% to be unacceptably high, given the large number of package releases that might trigger false alerts. Measured tools have false positive rates between 15% and 97%; increasing thresholds for detection rules to reduce this rate renders the true positive rate useless.While automated tools are far from reaching these demands, we find that a socio-technical malware detection system has emerged to meet these needs: external security researchers perform repository malware scans, filter for useful results, and report the results to repository administrators. These parties face different incentives and constraints on their time and tooling. We conclude with recommendations for improving detection capabilities and strengthening the collaboration between security researchers and software repository administrators.

show abstract

Section: A Software Supply Chain Attacksmentioning

confidence: 99%

Section: A Approachmentioning

confidence: 99%

Bad Snakes: Understanding and Improving Python Package Index Malware Scanning

Newman

Meyers

2023

2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…Further, prior research has shown that code review helps ensure higher code quality [29] and can prevent the introduction of new security vulnerabilities [17]. Ladisa et al [26] have developed an attack taxonomy for open source supply chain attacks, where they have mentioned code review as a safeguard against the attack vector inject into sources of legitimate package.…”

Section: Introductionmentioning

confidence: 99%

Are your dependencies code reviewed?: Measuring code review coverage in dependency updates

Imtiaz¹,

Williams²

2022

Preprint

View full text Add to dashboard Cite

As modern software extensively uses free open source packages as dependencies, developers have to regularly pull in new third-party code through frequent updates. However, without a proper review of every incoming change, vulnerable and even malicious code can sneak into the codebase through these dependencies. The goal of this study is to aid developers in securely accepting dependency updates by measuring if the code changes in an update have passed through a code review process. We implement DepDive, an update audit tool for packages in Crates.io, npm, PyPI, and RubyGems registry. DepDive first (i) identifies the files and the code changes in an update that cannot be traced back to the package's source repository, i.e., phantom artifacts; and then (ii) measures what portion of changes in the update, excluding the phantom artifacts, has passed through a code review process, i.e., code review coverage.Using DepDive, we present an empirical study across the latest ten updates of the most downloaded 1000 packages in each of the four registries. Our study unveils interesting insights while also providing an evaluation of our proposed approach. We find that phantom artifacts are not uncommon in the updates (20.1% of the analyzed updates had at least one phantom file). The phantoms can appear either due to legitimate reasons, such as in the case of programmatically generated files, or from accidental inclusion, such as in the case of files that are ignored in the repository. However, without provenance tracking, we cannot audit if the changes in these phantom artifacts were code-reviewed or not.Regarding code review coverage (CRC), we find the updates are typically only partially code-reviewed (52.5% of the time). Further, only 9.0% of the packages had all their updates in our data set fully code-reviewed, indicating that even the most used packages can introduce non-reviewed code in the software supply chain. We also observe that updates either tend to have very high CRC or very low CRC, suggesting that packages at the opposite end of the spectrum may require a separate set of treatments.

show abstract