Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems, makes them an attractive target for software supply chain attacks. By injecting malicious code into legitimate packages, attackers were known to gain more than 100,000 downloads of compromised packages. Current approaches for identifying malicious payloads are resource demanding. Therefore, they might not be applicable for the on-the-fly detection of suspicious artifacts being uploaded to the package repository. In this respect, we propose to use source code repositories (e.g., those in Github) for detecting injections into the distributed artifacts of a package. Our preliminary evaluation demonstrates that the proposed approach captures known attacks when malicious code was injected into PyPI packages. The analysis of the 2666 software artifacts (from all versions of the top ten most downloaded Python packages in PyPI) suggests that the technique is suitable for lightweight analysis of real-world packages.

Towards Using Source Code Repositories to Identify Software Supply Chain Attacks / Vu, D. L.; Pashchenko, I.; Massacci, F.; Plate, H.; Sabetta, A.. - (2020), pp. 2093-2095. ((Intervento presentato al convegno 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020 tenutosi a USA nel 2020 [10.1145/3372297.3420015].

Towards Using Source Code Repositories to Identify Software Supply Chain Attacks

Pashchenko I.;Massacci F.;
2020

Abstract

Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems, makes them an attractive target for software supply chain attacks. By injecting malicious code into legitimate packages, attackers were known to gain more than 100,000 downloads of compromised packages. Current approaches for identifying malicious payloads are resource demanding. Therefore, they might not be applicable for the on-the-fly detection of suspicious artifacts being uploaded to the package repository. In this respect, we propose to use source code repositories (e.g., those in Github) for detecting injections into the distributed artifacts of a package. Our preliminary evaluation demonstrates that the proposed approach captures known attacks when malicious code was injected into PyPI packages. The analysis of the 2666 software artifacts (from all versions of the top ten most downloaded Python packages in PyPI) suggests that the technique is suitable for lightweight analysis of real-world packages.
Proceedings of the ACM Conference on Computer and Communications Security
United States
Association for Computing Machinery
978-1-4503-7089-9
Vu, D. L.; Pashchenko, I.; Massacci, F.; Plate, H.; Sabetta, A.
Towards Using Source Code Repositories to Identify Software Supply Chain Attacks / Vu, D. L.; Pashchenko, I.; Massacci, F.; Plate, H.; Sabetta, A.. - (2020), pp. 2093-2095. ((Intervento presentato al convegno 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020 tenutosi a USA nel 2020 [10.1145/3372297.3420015].
File in questo prodotto:
File Dimensione Formato  
ccs2020poster.pdf

accesso aperto

Descrizione: Author's preprint
Tipologia: Pre-print non referato (Non-refereed preprint)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 446.87 kB
Formato Adobe PDF
446.87 kB Adobe PDF Visualizza/Apri
3372297.3420015.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.34 MB
Formato Adobe PDF
1.34 MB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11572/282636
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 5
  • ???jsp.display-item.citation.isi??? ND
social impact