TY - GEN
T1 - Secure Crowdsource-Based Open-Source Code Verification (SC)2V
AU - Nahum, Mor
AU - Grolman, Edita
AU - Maimon, Inbar
AU - Mimran, Dudu
AU - Brodt, Oleg
AU - Elyashar, Aviad
AU - Elovici, Yuval
AU - Shabtai, Asaf
N1 - Publisher Copyright: © 2024 Copyright held by the owner/author(s).
PY - 2024/4/8
Y1 - 2024/4/8
N2 - Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can be exploited as a means of conducting OSS supply chain attacks where malicious code is injected into those libraries. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are crafted towards a specific target (e.g., developer) and performed by skilled and persistent attackers with strong technical aptitude. Since these attacks do not appear in the general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose (SC)2V - a novel, distributed framework for secure crowdsource-based code verification of OSS libraries, which is integrated into the software production build phase. (SC)2V aims to prevent targeted supply chain attacks, involving users and verifiers in a collaborative effort. (SC)2V was evaluated on 900 OSS libraries in different attack scenarios where it took our framework an average of just 26 seconds to issue an alert for various threats.
AB - Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can be exploited as a means of conducting OSS supply chain attacks where malicious code is injected into those libraries. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are crafted towards a specific target (e.g., developer) and performed by skilled and persistent attackers with strong technical aptitude. Since these attacks do not appear in the general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose (SC)2V - a novel, distributed framework for secure crowdsource-based code verification of OSS libraries, which is integrated into the software production build phase. (SC)2V aims to prevent targeted supply chain attacks, involving users and verifiers in a collaborative effort. (SC)2V was evaluated on 900 OSS libraries in different attack scenarios where it took our framework an average of just 26 seconds to issue an alert for various threats.
UR - http://www.scopus.com/inward/record.url?scp=85197678914&partnerID=8YFLogxK
U2 - https://doi.org/10.1145/3605098.3636103
DO - https://doi.org/10.1145/3605098.3636103
M3 - Conference contribution
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1536
EP - 1538
BT - 39th Annual ACM Symposium on Applied Computing, SAC 2024
T2 - 39th Annual ACM Symposium on Applied Computing, SAC 2024
Y2 - 8 April 2024 through 12 April 2024
ER -