Chair of Programming Languages and AI
print
Breadcrumb Navigation
Content

DEMISEC: Detection of Malicious Implants in Source Code

Sponsored by WTD81.

Reuse of software components is a fundamental building block of software engineering. Today’s developers can quickly realize complex projects by wiring together components and libraries, choosing from a vast range of open source code. On the one hand, this eliminates repetition and therefore opportunities to accidentally introduce vulnerabilities, e.g., by relying verified and verifiable implementations of crypto libraries. On the other hand, it creates a potentially long software supply chain of transitive dependencies, where each element has to be trusted. Malicious code implanted at any point in the supply chain can propagate into critical systems. Already there have been several cases of open source developers having their credentials stolen to upload malicious code into popular libraries. With open source repositories effectively becoming critical infrastructure, we need reliable methods to verify and validate source code.

The goal of DEMISEC is to develop techniques for automatic vetting of open source repositories, in particular for detecting implants of malicious code in source code. We will use a mix of static and dynamic techniques to achieve this goal: fuzzing or symbolic execution for differential testing of program versions, and modeling of implant code to detect dangerous patterns in code repositories using static analysis. In collaboration with Prof. Brunthaler's µSRL lab, we will investigate Quick-Vetting for the light-weight attestation of pre-vetted software components. Finally, we will conduct large scale studies on open source code to evaluate the project outcomes.

Software

  • Differential analysis scripts and queries for detecting suspicious updates with CodeQL [ GitHub ]

Publications

Fabian Froh, Matías Gobbi, and Johannes Kinder. Differential Static Analysis for Detecting Malicious Updates to Open Source Packages. In Proc. ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED), ACM, 2023.
BibTeX PDF

@inproceedings{scored23-diff-codeql,
    author = {Fabian Froh and Mat{\'{i}}as Gobbi and Johannes Kinder},
    title = {Differential Static Analysis for Detecting Malicious Updates to Open Source Packages},
    booktitle = {Proc. ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED)},
    publisher = {ACM},
    year = {2023},
    doi = {10.1145/3605770.3625211}
}

Matías Gobbi and Johannes Kinder. Poster: Using CodeQL to Detect Malware in npm. In Proc. 2023 ACM SIGSAC Conf. Computer and Communications Security (CCS), 2023.
BibTeX PDF

@inproceedings{ccs23poster-codeql,
    author = {Mat{\'{i}}as Gobbi and Johannes Kinder},
    title = {Poster: Using CodeQL to Detect Malware in npm},
    booktitle = {Proc. 2023 ACM SIGSAC Conf. Computer and Communications Security (CCS)},
    year = {2023},
    doi = {10.1145/3576915.3624401}
}