Our society is becoming more and more dependent on information systems that affect all aspects of human life. The quality of these systems is fundamental to ensure security, reliability, and trust. These systems are developed using a multitude of external packages or third-party libraries. For instance, according to a security researcher from GitHub, 85% to 97% of enterprise software code base comes from open-source components. In addition, these components have transitive dependencies between them, for example, npm has more than 700,000 published packages with an average of 90 direct and indirect dependencies for each package. Hence, increasing the influence that propagates from a package to its dependents.
Developers tend to trust the authenticity and integrity of third-party packages hosted on commonly-used repositories. However, attacks can be conducted by exploiting package updates to compromise dependent systems. These attacks are known as Supply Chain Attacks.
Third-party packages often have access to powerful capabilities at the operating system level to create serious vulnerabilities. Additionally, the major challenge lies in the fact that the manual review of such types of vulnerabilities is not as obvious, which amplifies their consequences. For example, the SolarWinds attack that was conducted in December 2020 has put the spotlight on these types of attacks, where a group of hackers had breached the company 6 months before planting a malicious code in the software updates of a network monitoring tool (called Orion). This incident was then discovered 10 months after the attack was triggered, affecting 18,000 users and at least 9 US federal agencies. Also, very recently, a new type of vulnerability has emerged under a concept known as dependency confusion, where over 35 tech companies were in risk of having their systems breached by reverting the use of internal private packages to external packages uploaded on public registries.
The research community has taken the lead in raising awareness about these vulnerabilities and has proposed some security measures to deal with them. Several state-of-the-art works have been proposed to analyze package managers (e.g., npm, PyPI, RubyGems, etc.) using heuristics, unsupervised learning, supervised learning as well as word embedding techniques to detect and identify vulnerable and potentially malicious package versions. These studies are mainly based on static, dynamic or metadata analysis. Other interesting tools (e.g., Dependabot) have been used to monitor dependencies and fix vulnerable versions of packages. However, vulnerabilities targeting software supply chains are still making the highlights. For instance, the recent vulnerability present in the open-source libwebp library deeply impacted popular web browsers including Chrome, Firefox, and Microsoft Edge, messaging Applications (e.g. Signal). Due to the critical importance of the software supply chain, including for national security, and the increasing threats posed by malicious actors, there is a considerable and urgent need to:
Next to ChatGPT, the apparition of image generation AI was a real breakthrough. These algorithms are able to create stunning and detailed images from textual descriptions. In this field, Stable Diffusion stands out by the quality of the images, but also by its open and accessible nature. Unlike many proprietary AI tools, Stable Diffusion makes its source code and models freely available.
ReadAI Cyber Situation Awareness Conference
Members of the Cyber Defence Lab attended this year's edition of the "International Conference on Availability, Reliability and Security ARES 2024" that was held in Vienna, Austria. They presented two papers in the field of AI and Cyber Situation Awareness.
ReadNext to the very popular ChatGPT, a lot of other AI powered applications have sparked on the web recently. Globe Explorer https://explorer.globe.engineer/ is one of these, specially developed to explore knowledge and discover new domains.
ReadIn the framework of the study DAP22-13 “Automated red teaming”, we are looking for a full-time researcher in cyberdefense with a Master of Science in Cybersecurity, in Computer Science, or equivalent.
Read