SOftware suppLy chain Attack and defenCE

Security Architecture

SOLACE

Scheduled

BE-LUX Cooperation

January 2025 December 2027

36 months

Thibault Debatty

Our society is becoming more and more dependent on information systems that affect all aspects of human life. The quality of these systems is fundamental to ensure security, reliability, and trust. These systems are developed using a multitude of external packages or third-party libraries. For instance, according to a security researcher from GitHub, 85% to 97% of enterprise software code base comes from open-source components. In addition, these components have transitive dependencies between them, for example, npm has more than 700,000 published packages with an average of 90 direct and indirect dependencies for each package. Hence, increasing the influence that propagates from a package to its dependents.

Developers tend to trust the authenticity and integrity of third-party packages hosted on commonly-used repositories. However, attacks can be conducted by exploiting package updates to compromise dependent systems. These attacks are known as Supply Chain Attacks.

Third-party packages often have access to powerful capabilities at the operating system level to create serious vulnerabilities. Additionally, the major challenge lies in the fact that the manual review of such types of vulnerabilities is not as obvious, which amplifies their consequences. For example, the SolarWinds attack that was conducted in December 2020 has put the spotlight on these types of attacks, where a group of hackers had breached the company 6 months before planting a malicious code in the software updates of a network monitoring tool (called Orion). This incident was then discovered 10 months after the attack was triggered, affecting 18,000 users and at least 9 US federal agencies. Also, very recently, a new type of vulnerability has emerged under a concept known as dependency confusion, where over 35 tech companies were in risk of having their systems breached by reverting the use of internal private packages to external packages uploaded on public registries.

The research community has taken the lead in raising awareness about these vulnerabilities and has proposed some security measures to deal with them. Several state-of-the-art works have been proposed to analyze package managers (e.g., npm, PyPI, RubyGems, etc.) using heuristics, unsupervised learning, supervised learning as well as word embedding techniques to detect and identify vulnerable and potentially malicious package versions. These studies are mainly based on static, dynamic or metadata analysis. Other interesting tools (e.g., Dependabot) have been used to monitor dependencies and fix vulnerable versions of packages. However, vulnerabilities targeting software supply chains are still making the highlights. For instance, the recent vulnerability present in the open-source libwebp library deeply impacted popular web browsers including Chrome, Firefox, and Microsoft Edge, messaging Applications (e.g. Signal). Due to the critical importance of the software supply chain, including for national security, and the increasing threats posed by malicious actors, there is a considerable and urgent need to:

  • Evaluate the appropriateness and the limits of the current tools and security measures related to dependency updates and the management of security vulnerabilities that lead to threatening the software supply chain. A literature review will be conducted.
  • Develop new approaches to efficiently detect supply chain vulnerabilities. To that end, Large Language Models (LLMs) will be explored. Recent research works have shown that LLMs can indeed be used in various software engineering and software security tasks such as vulnerability detection with promising results. One challenge of this task is related to the scarcity of real-world examples of supply chain attacks making difficult to learn and characterize such attacks. However, LLMs could benefit from their capabilities of extracting information from natural language descriptions such as commit messages or bug reports. A commit message could be, for instance, used to check that what is announced in the commit message is actually done in the code patch. Bug reports should be considered carefully. Indeed, a bug report indicating for instance a crash, could be a valuable source of information for an attacker who will try to benefit from this crash (which can be easily reproduced thanks to the information provided in the bug report) to create an exploit.
  • Develop new approaches to automated library updates. Some popular tools such as Dependabot already exist, but they mainly help in managing simple dependency updates. Further research is necessary to handle complex and transitive updates.
  • Develop new automated penetration testing tools to increase confidence in open-source libraries. Ideally, tests should be comprehensive enough to ensure that libraries are free from vulnerabilities.
Run a local instance of Stable Diffusion and use AI to generate images

AI

Next to ChatGPT, the apparition of image generation AI was a real breakthrough. These algorithms are able to create stunning and detailed images from textual descriptions. In this field, Stable Diffusion stands out by the quality of the images, but also by its open and accessible nature. Unlike many proprietary AI tools, Stable Diffusion makes its source code and models freely available.

Read
CYLAB at the ARES conference 2024

AI Cyber Situation Awareness Conference

Members of the Cyber Defence Lab attended this year's edition of the "International Conference on Availability, Reliability and Security ARES 2024" that was held in Vienna, Austria. They presented two papers in the field of AI and Cyber Situation Awareness.

Read
AI powered knowledge exploration with Globe Explorer

AI Teaching

Next to the very popular ChatGPT, a lot of other AI powered applications have sparked on the web recently. Globe Explorer https://explorer.globe.engineer/ is one of these, specially developed to explore knowledge and discover new domains.

Read
Full-time researcher - Automated red teaming - DAP/22-13

Jobs News AI

In the framework of the study DAP22-13 “Automated red teaming”, we are looking for a full-time researcher in cyberdefense with a Master of Science in Cybersecurity, in Computer Science, or equivalent.

Read
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept