Title: Understanding and Mitigating Security Risks for Software Supply Chain Customers

Feng Xiao

Ph.D. student

School of Cybersecurity and Privacy

Georgia Institute of Technology

Date: Thursday, Jan 19, 2023

Time: 12:00 pm - 1:00 pm EST

Location: https://gatech.zoom.us/j/97937967787?pwd=UUcyaC85V1cvckFSMEhCRmpTV0Q3UT09

Committee:

Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Brendan D. Saltaformaggio, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Saman Zonouz, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Frank Li, School of Cybersecurity and Privacy, Georgia Institute of Technology

Abstract:

Modern software heavily relies on the software supply chain ecosystem to boost development efficiency and reduce costs. Due to its popularity, securing the software supply chain has become an increasingly critical concern for individuals, organizations, and governments. Existing works have revealed a series of security risks on the supplier side, e.g., adversaries are found to supply malicious software materials to the ecosystem. However, the security problems on the supply chain customer-side applications (SCCA), i.e., applications that use the supplied packages, are not well explored.  In particular, while an SCCA typically integrates a large number of third-party code materials, it remains largely unknown how these materials may interact and interfere in unexpected ways to cause security consequences.

My research fills this gap by contributing two key components. In this talk, I will first demonstrate how the integrated third-party materials introduce novel attack surfaces to SCCA. I will introduce novel security risks discovered from three important SCCA categories, i.e., internet infrastructure (SP'20), web service (SEC'21), and desktop application (CCS'22). In particular, I will showcase one novel risk, cross-package poisoning. I show how different third-party materials in an SCCA may interfere with each other in unexpected ways to form new exploit chains.

Second, I will present a novel supply chain analysis framework that leverages program analysis to help developers understand the security impact of integrating certain third-party materials in the context of the whole SCCA. This framework consists of three analysis techniques, effectively covering each identified risk. In the talk, I will case study one of them, i.e., SVHunter, which mitigates the above cross-package poisoning risk by analyzing and reasoning the intricate casual relationships between packages.

Finally, I will propose Jasmine, a building block technique that improves the analysis performance of the above three techniques. Program analysis techniques hardly scale to SCCAs because they often fail to understand complex semantics and instructions hidden deeply in third-party code materials. To combat this, Jasmine developed a novel context-prioritized analysis, which focuses on the most critical aspect of analyzing SCCA, i.e., figuring out how a third-party package changes the states of the application, while safely ignoring other low-level details in the third-party code.