*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Understanding and Mitigating Security Risks for Software Supply Chain Customers
Feng Xiao
Ph.D. student
School of Cybersecurity and Privacy
Georgia Institute of Technology
Date: Thursday, Jan 19, 2023
Time: 12:00 pm - 1:00 pm EST
Location: https://gatech.zoom.us/j/97937967787?pwd=UUcyaC85V1cvckFSMEhCRmpTV0Q3UT09
Committee:
Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Brendan D. Saltaformaggio, School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Saman Zonouz, School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Frank Li, School of Cybersecurity and Privacy, Georgia Institute of Technology
Abstract:
Modern software heavily relies on the software supply chain ecosystem to boost development efficiency and reduce costs. Due to its popularity, securing the software supply chain has become an increasingly critical concern for individuals, organizations, and governments. Existing works have revealed a series of security risks on the supplier side, e.g., adversaries are found to supply malicious software materials to the ecosystem. However, the security problems on the supply chain customer-side applications (SCCA), i.e., applications that use the supplied packages, are not well explored. In particular, while an SCCA typically integrates a large number of third-party code materials, it remains largely unknown how these materials may interact and interfere in unexpected ways to cause security consequences.
My research fills this gap by contributing two key components. In this talk, I will first demonstrate how the integrated third-party materials introduce novel attack surfaces to SCCA. I will introduce novel security risks discovered from three important SCCA categories, i.e., internet infrastructure (SP'20), web service (SEC'21), and desktop application (CCS'22). In particular, I will showcase one novel risk, cross-package poisoning. I show how different third-party materials in an SCCA may interfere with each other in unexpected ways to form new exploit chains.
Second, I will present a novel supply chain analysis framework that leverages program analysis to help developers understand the security impact of integrating certain third-party materials in the context of the whole SCCA. This framework consists of three analysis techniques, effectively covering each identified risk. In the talk, I will case study one of them, i.e., SVHunter, which mitigates the above cross-package poisoning risk by analyzing and reasoning the intricate casual relationships between packages.
Finally, I will propose Jasmine, a building block technique that improves the analysis performance of the above three techniques. Program analysis techniques hardly scale to SCCAs because they often fail to understand complex semantics and instructions hidden deeply in third-party code materials. To combat this, Jasmine developed a novel context-prioritized analysis, which focuses on the most critical aspect of analyzing SCCA, i.e., figuring out how a third-party package changes the states of the application, while safely ignoring other low-level details in the third-party code.