Dependencies
The modern world relies on digital innovation in almost every human endeavor and for our critical infrastructure. Digital innovation has been accelerated substantially as software is increasingly built on top of layers of reusable abstractions, including libraries, frameworks, and cloud infrastructure. Where previous teams of engineers invested months, today, beginners can write intelligent smartphone apps with a few lines of code. Leveraging these reusable abstractions gives rise to software supply chains where software products include “upstream” components, a.k.a. dependencies, created and modified by others, which again often include their own transitive dependencies. Most of these dependencies are open-source projects. However, with all the power that software supply chains and open-source infrastructure provide also come risks.
Highlighted Outcomes
- Trevor Dunlap, John Speed Meyers, Brad Reaves, and William Enck, Pairing Security Advisories with Vulnerable Functions Using Open-Source LLMs, in Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Jul. 2024.
- Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves, VFCFinder: Pairing Security Advisories and Patches, in Proceedings of the ACM ASIA Conference on Computer and Communications Security (AsiaCCS), Jul. 2024.
- Courtney Miller, Christian Kästner, and Bogdan Vasilescu, "We Feel Like We’re Winging It:" A Study on Navigating Open-Source Dependency Abandonment, in Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), Dec. 2023.
[PDF] - Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves, Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis, in Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), Jul. 2023.
Secure Build
Modern software development has evolved into a process that leverages tooling and automation to transform code into software artifacts that get deployed/shipped to users. This drastic shift of writing code for building software introduces an additional step in the development process that affects the security of software supply chain. We consider two key aspects for secure builds: (1) analysis of the build and deployment process including associated security tests and (2) techniques that help projects achieve reproducible builds.
Highlighted Outcomes
- Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry, ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions, in Proceedings of the USENIX Security Symposium, Aug. 2023.
[PDF] - Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar, It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2023.
[PDF]
Humans
Securing the Software Supply Chain requires that we recognize the importance of the involved humans. Often holding key positions in creating, distributing, and selecting software, these experts can contribute or detract from security based on their approaches and considerations. Additionally, recent attacks have shown that software experts and their close involvement with software code and distribution are a commonly successfully attacked link in the software supply chain. Therefore, a comprehensive approach that considers the human factor is crucial for effective software supply chain security.
Highlighted Outcomes
In “It’s like flossing your teeth” [2] we conducted a series of 24 semi-structured expert interviews conducted with participants from the ReproducibleBuilds.org project. We identified key factors for achieving R-Bs, such as motivated developers and collaborative communication with upstream projects. Additionally, we discuss motivations for adopting R-Bs and provide recommendations for integrating them into the open source and free software community.
In “Always Contribute Back” [2] we conducted a study consisting of 25 interviews with software developers, architects, and engineers from industry software projects. We found that open source components play an important role in many projects, and that most projects have policies or best practices for including external code, but many developers desire more resources for auditing included components.
In “Pushed by Accident” [3] we surveyed 109 developers and conducted interviews with 14 participants who experienced code secret leaks. We found that 30.3% of developers had encountered such leaks in the past, leading to risks like service abuse and exposure of sensitive data. We provide recommendations for developers and source code platform providers to minimize the risk of secret leakage.
- Alexander Krause, Jan H. Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, and Sascha Fahl, Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories, in Proceedings of the USENIX Security Symposium, Aug. 2023.
[PDF] - Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar, It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2023.
[PDF] - Dominik Wermke, Jan H. Klemmer, Noah Wöhler, Juliane Schmüser, Harshini Sri Ramulu, Yasemin Acar, and Sascha Fahl, “Always Contribute Back”: A Qualitative Study on Security Challenges of the Open Source Supply Chain, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2023.
[PDF]