Secure Crowdsource-Based Open-Source Code Verification (SC)2V

Mor Nahum, Edita Grolman, Inbar Maimon, Dudu Mimran, Oleg Brodt, Aviad Elyashar, Yuval Elovici, Asaf Shabtai

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can be exploited as a means of conducting OSS supply chain attacks where malicious code is injected into those libraries. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are crafted towards a specific target (e.g., developer) and performed by skilled and persistent attackers with strong technical aptitude. Since these attacks do not appear in the general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose (SC)2V - a novel, distributed framework for secure crowdsource-based code verification of OSS libraries, which is integrated into the software production build phase. (SC)2V aims to prevent targeted supply chain attacks, involving users and verifiers in a collaborative effort. (SC)2V was evaluated on 900 OSS libraries in different attack scenarios where it took our framework an average of just 26 seconds to issue an alert for various threats.

Original languageAmerican English
Title of host publication39th Annual ACM Symposium on Applied Computing, SAC 2024
Pages1536-1538
Number of pages3
ISBN (Electronic)9798400702433
DOIs
StatePublished - 8 Apr 2024
Event39th Annual ACM Symposium on Applied Computing, SAC 2024 - Avila, Spain
Duration: 8 Apr 202412 Apr 2024

Publication series

NameProceedings of the ACM Symposium on Applied Computing

Conference

Conference39th Annual ACM Symposium on Applied Computing, SAC 2024
Country/TerritorySpain
CityAvila
Period8/04/2412/04/24

All Science Journal Classification (ASJC) codes

  • Software

Fingerprint

Dive into the research topics of 'Secure Crowdsource-Based Open-Source Code Verification (SC)2V'. Together they form a unique fingerprint.

Cite this