TY - JOUR
T1 - OSSIntegrity
T2 - Collaborative open-source code integrity verification
AU - Nahum, Mor
AU - Grolman, Edita
AU - Maimon, Inbar
AU - Mimran, Dudu
AU - Brodt, Oleg
AU - Elyashar, Aviad
AU - Elovici, Yuval
AU - Shabtai, Asaf
N1 - Publisher Copyright:
© 2024 Elsevier Ltd
PY - 2024/9/1
Y1 - 2024/9/1
N2 - Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries used by the target. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not target general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose (SC)2V — secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. (SC)2V is aimed at preventing targeted supply chain attacks and is integrated in the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. (SC)2V involves both users (developers seeking to verify an OSS library) and verifiers that contribute to the collaborative verification effort. (SC)2V considers a library as verified and safe when a consensus is reached among the verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 s to issue an alert against the attacks.
AB - Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries used by the target. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not target general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose (SC)2V — secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. (SC)2V is aimed at preventing targeted supply chain attacks and is integrated in the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. (SC)2V involves both users (developers seeking to verify an OSS library) and verifiers that contribute to the collaborative verification effort. (SC)2V considers a library as verified and safe when a consensus is reached among the verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 s to issue an alert against the attacks.
KW - Collaborative systems
KW - Open-source software security
KW - Software supply chain attacks
UR - http://www.scopus.com/inward/record.url?scp=85198712909&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2024.103977
DO - 10.1016/j.cose.2024.103977
M3 - Article
AN - SCOPUS:85198712909
SN - 0167-4048
VL - 144
JO - Computers and Security
JF - Computers and Security
M1 - 103977
ER -