Towards Using Source Code Repositories to Identify Software Supply Chain Attacks

D.L. Vu, I. Pashchenko, F. Massacci, H. Plate, A. Sabetta

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

© 2020 Owner/Author.Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems, makes them an attractive target for software supply chain attacks. By injecting malicious code into legitimate packages, attackers were known to gain more than 100,000 downloads of compromised packages. Current approaches for identifying malicious payloads are resource demanding. Therefore, they might not be applicable for the on-the-fly detection of suspicious artifacts being uploaded to the package repository. In this respect, we propose to use source code repositories (e.g., those in Github) for detecting injections into the distributed artifacts of a package. Our preliminary evaluation demonstrates that the proposed approach captures known attacks when malicious code was injected into PyPI packages. The analysis of the 2666 software artifacts (from all versions of the top ten most downloaded Python packages in PyPI) suggests that the technique is suitable for lightweight analysis of real-world packages.
Original languageEnglish
Title of host publicationCCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages2093-2095
ISBN (Electronic)9781450370899
ISBN (Print)9781450370899
DOIs
Publication statusPublished - 30 Oct 2020
Externally publishedYes
Event27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020 - Virtual, Online, United States
Duration: 9 Nov 202013 Nov 2020

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

Conference27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020
Country/TerritoryUnited States
CityVirtual, Online
Period9/11/2013/11/20

Funding

This research has been partly funded by the EU under the H2020 Programs H2020-EU.2.1.1-CyberSec4Europe (Grant No. 830929), NeCS: European Network for Cyber Security (Grant No. 675320) and SPARTA project (Grant No. 830892).

FundersFunder number
European Network for Cyber Security675320, 830892
Horizon 2020 Framework Programme830929
European Commission

    Fingerprint

    Dive into the research topics of 'Towards Using Source Code Repositories to Identify Software Supply Chain Attacks'. Together they form a unique fingerprint.

    Cite this