SOftware suppLy chain Attack and defenCE

Software Supply Chain

Our society is becoming more and more dependent on information systems that affect all aspects of human life. The quality of these systems is fundamental to ensure security, reliability, and trust. These systems are developed using a multitude of external packages or third-party libraries. For instance, according to a security researcher from GitHub, 85% to 97% of enterprise software code base comes from open-source components. In addition, these components have transitive dependencies between them, for example, npm has more than 700,000 published packages with an average of 90 direct and indirect dependencies for each package. Hence, increasing the influence that propagates from a package to its dependents.

Developers tend to trust the authenticity and integrity of third-party packages hosted on commonly-used repositories. However, attacks can be conducted by exploiting package updates to compromise dependent systems. These attacks are known as Supply Chain Attacks.

Third-party packages often have access to powerful capabilities at the operating system level to create serious vulnerabilities. Additionally, the major challenge lies in the fact that the manual review of such types of vulnerabilities is not as obvious, which amplifies their consequences. For example, the SolarWinds attack that was conducted in December 2020 has put the spotlight on these types of attacks, where a group of hackers had breached the company 6 months before planting a malicious code in the software updates of a network monitoring tool (called Orion). This incident was then discovered 10 months after the attack was triggered, affecting 18,000 users and at least 9 US federal agencies. Also, very recently, a new type of vulnerability has emerged under a concept known as dependency confusion, where over 35 tech companies were in risk of having their systems breached by reverting the use of internal private packages to external packages uploaded on public registries.

The research community has taken the lead in raising awareness about these vulnerabilities and has proposed some security measures to deal with them. Several state-of-the-art works have been proposed to analyze package managers (e.g., npm, PyPI, RubyGems, etc.) using heuristics, unsupervised learning, supervised learning as well as word embedding techniques to detect and identify vulnerable and potentially malicious package versions. These studies are mainly based on static, dynamic or metadata analysis. Other interesting tools (e.g., Dependabot) have been used to monitor dependencies and fix vulnerable versions of packages. However, vulnerabilities targeting software supply chains are still making the highlights. For instance, the recent vulnerability present in the open-source libwebp library deeply impacted popular web browsers including Chrome, Firefox, and Microsoft Edge, messaging Applications (e.g. Signal). Due to the critical importance of the software supply chain, including for national security, and the increasing threats posed by malicious actors, there is a considerable and urgent need to:

• Evaluate the appropriateness and the limits of the current tools and security measures related to dependency updates and the management of security vulnerabilities that lead to threatening the software supply chain. A literature review will be conducted.
• Develop new approaches to efficiently detect supply chain vulnerabilities. To that end, Large Language Models (LLMs) will be explored. Recent research works have shown that LLMs can indeed be used in various software engineering and software security tasks such as vulnerability detection with promising results. One challenge of this task is related to the scarcity of real-world examples of supply chain attacks making difficult to learn and characterize such attacks. However, LLMs could benefit from their capabilities of extracting information from natural language descriptions such as commit messages or bug reports. A commit message could be, for instance, used to check that what is announced in the commit message is actually done in the code patch. Bug reports should be considered carefully. Indeed, a bug report indicating for instance a crash, could be a valuable source of information for an attacker who will try to benefit from this crash (which can be easily reproduced thanks to the information provided in the bug report) to create an exploit.
• Develop new approaches to automated library updates. Some popular tools such as Dependabot already exist, but they mainly help in managing simple dependency updates. Further research is necessary to handle complex and transitive updates.
• Develop new automated penetration testing tools to increase confidence in open-source libraries. Ideally, tests should be comprehensive enough to ensure that libraries are free from vulnerabilities.