RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains
Rogue updates, an important type of software supply-chain attack in which attackers conceal malicious code inside updates to benign software, are a growing problem due to their stealth and effectiveness. We design and implement RogueOne, a system for detecting rogue updates to JavaScript packages. RogueOne uses a novel differential data-flow analysis to capture how an update changes a package’s interactions with external APIs. Using an efficient form of abstract interpretation that can exclude unchanged code in a package, it constructs an object data-flow relationship graph (ODRG) that tracks data-flows among objects. RogueOne then maps objects to trust domains, a novel abstraction to summarize trust relationships in a package. Objects are assigned a trust domain based on whether they originate in the target package, a dependency, or in a system API. RogueOne uses the ODRG to build a set of data-flows across trust domains. It compares sets across package versions to detect untrustworthy new interactions with external APIs. We have evaluated RogueOne on hundreds of NPM packages including many top projects, demonstrating its effectiveness at detecting rogue updates and distinguishing them from benign ones. In detecting rogue updates, RogueOne achieves high accuracy while outperforming prior state-of-the-art systems built to detect malicious packages, in some cases by almost an order of magnitude.