What are Weak Links in the npm Supply Chain?
Wed 11 May 2022 12:05 - 12:10 at ICSE room 2-even hours - Software Security 8 Chair(s): Barbara Russo
Thu 26 May 2022 09:30 - 09:35 at Room 306+307 - Papers 10: Software Security 1 Chair(s): Joshua Garcia
Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software’s supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists identify weak links in a software supply chain by empirically studying npm package metadata.In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of a security weakness in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. Our analysis identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.
Mon 9 MayDisplayed time zone: Eastern Time (US & Canada) change
Wed 11 MayDisplayed time zone: Eastern Time (US & Canada) change
Thu 26 MayDisplayed time zone: Eastern Time (US & Canada) change
09:00 - 10:30 | Papers 10: Software Security 1Technical Track / SEIP - Software Engineering in Practice / Journal-First Papers at Room 306+307 Chair(s): Joshua Garcia University of California, Irvine | ||
09:00 5mTalk | The Case for Adaptive Security Interventions Journal-First Papers Irum Rauf The Open University, UK, Marian Petre The Open University, Thein Tun , Tamara Lopez The Open University, Paul Lunn The University of Manchester, UK, Dirk van der Linden Northumbria University, John Towse Department of Psychology, University of Lancaster, UK, Helen Sharp The Open University, Mark Levine Lancaster University, Awais Rashid University of Bristol, UK, Bashar Nuseibeh The Open University (UK) & Lero (Ireland) Link to publication DOI Pre-print Media Attached | ||
09:05 5mTalk | Out of Sight, Out of Mind? How Vulnerable Dependencies Affect Open-Source Projects Journal-First Papers Gede Artha Azriadi Prana Singapore Management University, Abhishek Sharma Veracode, Inc., Lwin Khin Shar Singapore Management University, Darius Foo National University of Singapore, Andrew Santosa Veracode, Inc., Asankhaya Sharma Veracode, Inc., David Lo Singapore Management University Pre-print Media Attached | ||
09:10 5mTalk | VulCNN: An Image-inspired Scalable Vulnerability Detection System Technical Track Yueming Wu Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Shihan Dou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Duo Xu Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology DOI Pre-print Media Attached | ||
09:15 5mTalk | Deep Learning based Vulnerability Detection: Are We There Yet? Journal-First Papers Saikat Chakraborty Columbia University, Rahul Krishna IBM Research, Yangruibo Ding Columbia University, Baishakhi Ray Columbia University Link to publication DOI Media Attached | ||
09:20 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
09:25 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
09:30 5mTalk | What are Weak Links in the npm Supply Chain? SEIP - Software Engineering in Practice Nusrat Zahan North Carolina State University, Laurie Williams North Carolina State University, Thomas Zimmermann Microsoft Research, Patrice Godefroid Microsoft Research, USA, Brendan Murphy Microsoft Research, Chandra Sekhar Maddila Microsoft Research Pre-print Media Attached | ||
09:35 5mTalk | Rotten Apples Spoil the Bunch: An Anatomy of Google Play Malware Technical Track Michael Cao University of British Columbia, Khaled Ahmed University of British Columbia (UBC), Julia Rubin University of British Columbia Pre-print Media Attached | ||
09:40 5mTalk | What the Fork? Finding Hidden Code Clones in npm Technical Track Elizabeth Wyss University of Kansas, Lorenzo De Carli Worcester Polytechnic Institute, Drew Davidson University of Kansas DOI Pre-print Media Attached | ||