RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains (ICSE 2024 - Research Track)

Who

Raphael J. Sofaer, Yaniv David, Mingqing Kang, Jianjia Yu, Yinzhi Cao, Junfeng Yang, Jason Nieh

Track

ICSE 2024 Research Track

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 18 Apr 2024 14:00 - 14:15 at Luis de Freitas Branco - Analysis 2 Chair(s): Luís Cruz

Abstract

Rogue updates, an important type of software supply-chain attack in which attackers conceal malicious code inside updates to benign software, are a growing problem due to their stealth and effectiveness. We design and implement RogueOne, a system for detecting rogue updates to JavaScript packages. RogueOne uses a novel differential data-flow analysis to capture how an update changes a package’s interactions with external APIs. Using an efficient form of abstract interpretation that can exclude unchanged code in a package, it constructs an object data-flow relationship graph (ODRG) that tracks data-flows among objects. RogueOne then maps objects to trust domains, a novel abstraction to summarize trust relationships in a package. Objects are assigned a trust domain based on whether they originate in the target package, a dependency, or in a system API. RogueOne uses the ODRG to build a set of data-flows across trust domains. It compares sets across package versions to detect untrustworthy new interactions with external APIs. We have evaluated RogueOne on hundreds of NPM packages including many top projects, demonstrating its effectiveness at detecting rogue updates and distinguishing them from benign ones. In detecting rogue updates, RogueOne achieves high accuracy while outperforming prior state-of-the-art systems built to detect malicious packages, in some cases by almost an order of magnitude.

Link to Preprint

https://yanivmd.github.io/files/RogueOne-Paper-PrePrint.pdf

DOI

https://doi.org/10.1145/3597503.3639199

Raphael J. Sofaer

Columbia University

Yaniv David

Columbia University

United States

Mingqing Kang

Johns Hopkins University

Jianjia Yu

Johns Hopkins University

Yinzhi Cao

Johns Hopkins University

United States

Junfeng Yang

Columbia University

United States

Jason Nieh

Columbia University

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 18 Apr
Displayed time zone: Lisbon change

14:00 - 15:30	Analysis 2Journal-first Papers / Research Track / New Ideas and Emerging Results / Demonstrations at Luis de Freitas Branco Chair(s): Luís Cruz Delft University of Technology

14:00 15m Talk		RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains Research Track Raphael J. Sofaer Columbia University, Yaniv David Columbia University, Mingqing Kang Johns Hopkins University, Jianjia Yu Johns Hopkins University, Yinzhi Cao Johns Hopkins University, Junfeng Yang Columbia University, Jason Nieh Columbia University DOI Pre-print
14:15 15m Talk		ACAV: A Framework for Automatic Causality Analysis in Autonomous Vehicle Accident Recordings Research Track Huijia Sun ShanghaiTech University, China, Chris Poskitt Singapore Management University, Yang Sun Singapore Management University, Jun Sun Singapore Management University, Yuqi Chen ShanghaiTech University, China Pre-print
14:30 15m Talk		Efficiently Trimming the Fat: Streamlining Software Dependencies with Java Reflection and Dependency Analysis Research Track Xiaohu Song Northeastern University, Ying Wang Northeastern University, Xiao Cheng Huawei Technologies Co., Ltd., Guangtai Liang Huawei Cloud Computing Technologies, Qianxiang Wang Huawei Technologies Co., Ltd, Zhiliang Zhu Northeastern University, China
14:45 7m Talk		Probabilistic Safe WCET Estimation for Weakly Hard Real-Time Systems at Design Stages Journal-first Papers Jaekwon Lee University of Ottawa & University of Luxembourg, Seung Yeob Shin University of Luxembourg, Lionel Briand University of Ottawa, Canada; Lero centre, University of Limerick, Ireland, Shiva Nejati University of Ottawa
14:52 7m Talk		Are automated static analysis tools worth it? An investigation into relative warning density and external software quality on the example of Apache open source projects Journal-first Papers Alexander Trautsch University of Passau, Steffen Herbold University of Passau, Jens Grabowski University of Göttingen
14:59 7m Talk		Actor-driven Decomposition of Microservices through Multi-level Scalability Assessment Journal-first Papers Carmine Colarusso University of Sannio, Benevento, Matteo Camilli Politecnico di Milano, Barbara Russo , Eugenio Zimeo University of Sannio, Benevento
15:06 7m Talk		TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference Tools Demonstrations Ashwin Prasad Shivarpatna Venkatesh University of Paderborn, Samkutty Sabu University of Paderborn, Jiawei Wang Monash University, Amir Mir Delft University of Technology, Li Li Beihang University, Eric Bodden
15:13 7m Talk		Toward Adaptive Tracing: Efficient System Behavior Analysis using Language Models New Ideas and Emerging Results Kasra Darvishi Brock University, Morteza Noferesti Brock University, Naser Ezzati Jivan