ICSE 2024
Fri 12 - Sun 21 April 2024 Lisbon, Portugal
Thu 18 Apr 2024 14:00 - 14:15 at Luis de Freitas Branco - Analysis 2 Chair(s): Luís Cruz

Rogue updates, an important type of software supply-chain attack in which attackers conceal malicious code inside updates to benign software, are a growing problem due to their stealth and effectiveness. We design and implement RogueOne, a system for detecting rogue updates to JavaScript packages. RogueOne uses a novel differential data-flow analysis to capture how an update changes a package’s interactions with external APIs. Using an efficient form of abstract interpretation that can exclude unchanged code in a package, it constructs an object data-flow relationship graph (ODRG) that tracks data-flows among objects. RogueOne then maps objects to trust domains, a novel abstraction to summarize trust relationships in a package. Objects are assigned a trust domain based on whether they originate in the target package, a dependency, or in a system API. RogueOne uses the ODRG to build a set of data-flows across trust domains. It compares sets across package versions to detect untrustworthy new interactions with external APIs. We have evaluated RogueOne on hundreds of NPM packages including many top projects, demonstrating its effectiveness at detecting rogue updates and distinguishing them from benign ones. In detecting rogue updates, RogueOne achieves high accuracy while outperforming prior state-of-the-art systems built to detect malicious packages, in some cases by almost an order of magnitude.

Thu 18 Apr

Displayed time zone: Lisbon change

14:00 - 15:30
14:00
15m
Talk
RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains
Research Track
Raphael J. Sofaer Columbia University, Yaniv David Columbia University, Mingqing Kang Johns Hopkins University, Jianjia Yu Johns Hopkins University, Yinzhi Cao Johns Hopkins University, Junfeng Yang Columbia University, Jason Nieh Columbia University
DOI Pre-print
14:15
15m
Talk
ACAV: A Framework for Automatic Causality Analysis in Autonomous Vehicle Accident Recordings
Research Track
Huijia Sun ShanghaiTech University, China, Chris Poskitt Singapore Management University, Yang Sun Singapore Management University, Jun Sun Singapore Management University, Yuqi Chen ShanghaiTech University, China
Pre-print
14:30
15m
Talk
Efficiently Trimming the Fat: Streamlining Software Dependencies with Java Reflection and Dependency Analysis
Research Track
Xiaohu Song Northeastern University, Ying Wang Northeastern University, Xiao Cheng Huawei Technologies Co., Ltd., Guangtai Liang Huawei Cloud Computing Technologies, Qianxiang Wang Huawei Technologies Co., Ltd, Zhiliang Zhu Northeastern University, China
14:45
7m
Talk
Probabilistic Safe WCET Estimation for Weakly Hard Real-Time Systems at Design Stages
Journal-first Papers
Jaekwon Lee University of Ottawa & University of Luxembourg, Seung Yeob Shin University of Luxembourg, Lionel Briand University of Ottawa, Canada; Lero centre, University of Limerick, Ireland, Shiva Nejati University of Ottawa
14:52
7m
Talk
Are automated static analysis tools worth it? An investigation into relative warning density and external software quality on the example of Apache open source projects
Journal-first Papers
Alexander Trautsch University of Passau, Steffen Herbold University of Passau, Jens Grabowski University of Göttingen
14:59
7m
Talk
Actor-driven Decomposition of Microservices through Multi-level Scalability Assessment
Journal-first Papers
Carmine Colarusso University of Sannio, Benevento, Matteo Camilli Politecnico di Milano, Barbara Russo , Eugenio Zimeo University of Sannio, Benevento
15:06
7m
Talk
TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference Tools
Demonstrations
Ashwin Prasad Shivarpatna Venkatesh University of Paderborn, Samkutty Sabu University of Paderborn, Jiawei Wang Monash University, Amir Mir Delft University of Technology, Li Li Beihang University, Eric Bodden
15:13
7m
Talk
Toward Adaptive Tracing: Efficient System Behavior Analysis using Language Models
New Ideas and Emerging Results
Kasra Darvishi Brock University, Morteza Noferesti Brock University, Naser Ezzati Jivan
Link to publication