Title:
Understanding and mitigating security threats in software supply chain
Understanding and mitigating security threats in software supply chain
Author(s)
Xiao, Feng
Advisor(s)
Lee, Wenke
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
Modern software heavily relies on the software supply chain ecosystem to boost development efficiency and reduce costs.
Due to its popularity, securing the software supply chain has become an increasingly critical concern for individuals, organizations, and governments alike.
Unfortunately, the inherent vastness, complexity, and interdependence of the software supply chain often render existing security techniques inadequate. In particular, as software developers nowadays incorporate a plethora of unfamiliar third-party code, it is becoming increasingly challenging for existing vulnerability detection and mitigation techniques to understand and restrict program behaviors.
To tackle the diverse threats and rising complexities, my dissertation proposes a series of novel program analysis techniques that focus on validating the interactions between supply chain modules.
Along this path, I have designed and implemented a robust, end-to-end program analysis framework. In this dissertation, I first present LYNX and JASMINE, which are designed to assist developers in understanding the security-related properties of complex supply chain software.
Specifically, LYNX is capable of revealing and comprehending hidden execution paths or input spaces that arise from careless use of supply chain software packages. LYNX has led to the discovery of a novel attack vector, hidden property abusing, as well as 15 previously unknown vulnerabilities. JASMINE, on the other hand, is a scalable program analysis diagram that simplifies the complexity of supply chain security analysis by focusing on inter-module behaviors when analyzing bloated and complex third-party modules. By applying JASMINE to real-world programs in the npm supply chain, we successfully detected 22 new vulnerabilities, many of which were assigned the highest severity rating by the CVSS. In the end, I will present XGuard, a tool designed for developers to implement robust and efficient security protection. This tool utilizes the comprehensive security properties identified by LYNX and JASMINE to automatically generate detailed protection policies. With the policy, XGuard ensures the integrity of data and control flow within the supply chain software.
Sponsor
Date Issued
2023-11-29
Extent
Resource Type
Text
Resource Subtype
Dissertation