开源软件供应链安全研究综述

doi:10.13328/j.cnki.jos.006717

微信服务号

微信订阅号

2025年3月31日 18:06 星期一

首页 > 过刊浏览>2023年第34卷第3期 >1330-1364. DOI:10.13328/j.cnki.jos.006717

PDF HTML阅读 XML下载导出引用引用提醒

开源软件供应链安全研究综述
DOI:
                        10.13328/j.cnki.jos.006717
                    
CSTR:
                        
                    
作者:
                        纪守领纪守领
浙江大学 计算机科学与技术学院, 浙江 杭州 310007
在期刊界中查找
在百度中查找
在本站中查找
王琴应王琴应
浙江大学 计算机科学与技术学院, 浙江 杭州 310007
在期刊界中查找
在百度中查找
在本站中查找
陈安莹陈安莹
浙江大学 计算机科学与技术学院, 浙江 杭州 310007
在期刊界中查找
在百度中查找
在本站中查找
赵彬彬赵彬彬
浙江大学滨江研究院, 浙江 杭州 310053
在期刊界中查找
在百度中查找
在本站中查找
叶童叶童
浙江大学 计算机科学与技术学院, 浙江 杭州 310007
在期刊界中查找
在百度中查找
在本站中查找
张旭鸿张旭鸿
浙江大学 计算机科学与技术学院, 浙江 杭州 310007
在期刊界中查找
在百度中查找
在本站中查找
吴敬征吴敬征
中国科学院 软件研究所 智能软件研究中心, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
李昀李昀
上海华为技术有限公司, 上海 201206
在期刊界中查找
在百度中查找
在本站中查找
尹建伟尹建伟
浙江大学 计算机科学与技术学院, 浙江 杭州 310007
在期刊界中查找
在百度中查找
在本站中查找
武延军武延军
中国科学院 软件研究所 智能软件研究中心, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:纪守领(1986-),男,博士,研究员,博士生导师,CCF高级会员,主要研究领域为人工智能与安全,数据驱动安全,软件与系统安全,大数据分析与多媒体理解;张旭鸿(1988-),男,博士,研究员,博士生导师,CCF专业会员,主要研究领域为分布式大数据系统,人工智能与安全,数据驱动安全,软件与系统安全,计算机视觉,大数据挖掘与分析,多媒体理解;王琴应(1996-),女,博士生,CCF学生会员,主要研究领域为物联网安全,软件与系统安全;吴敬征(1982-),男,博士,研究员,博士生导师,CCF专业会员,主要研究领域为系统安全,漏洞挖掘,操作系统安全;陈安莹(1996-),女,硕士生,主要研究领域为数据驱动安全,软件与系统安全;李昀(1974-),女,博士,首席技术专家,主要研究领域为人工智能与安全,认知智能,大数据安全,知识工程;赵彬彬(1996-),男,博士生,主要研究领域为物联网安全;尹建伟(1974-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为医疗信息化,分布式计算,服务计算,云计算;叶童(1998-),男,博士生,CCF学生会员,主要研究领域为机器学习,漏洞检测;武延军(1979-),男,博士,研究员,博士生导师,CCF杰出会员,主要研究领域为操作系统,机器学习系统软件,系统安全.
通讯作者:武延军，yanjun@iscas.ac.cn
中图分类号:
基金项目:国家自然科学基金（U1936215）；浙江省自然科学基金（LR19F020003）

Survey on Open-source Software Supply Chain Security

Author:

JI Shou-Ling
JI Shou-Ling
College of Computer Science and Technology, Zhejiang University, Hangzhou 310007, China
在期刊界中查找
在百度中查找
在本站中查找
WANG Qin-Ying
WANG Qin-Ying
College of Computer Science and Technology, Zhejiang University, Hangzhou 310007, China
在期刊界中查找
在百度中查找
在本站中查找
CHEN An-Ying
CHEN An-Ying
College of Computer Science and Technology, Zhejiang University, Hangzhou 310007, China
在期刊界中查找
在百度中查找
在本站中查找
ZHAO Bin-Bin
ZHAO Bin-Bin
Binjiang Institute of Zhejiang University, Hangzhou 310053, China
在期刊界中查找
在百度中查找
在本站中查找
YE Tong
YE Tong
College of Computer Science and Technology, Zhejiang University, Hangzhou 310007, China
在期刊界中查找
在百度中查找
在本站中查找
ZHANG Xu-Hong
ZHANG Xu-Hong
College of Computer Science and Technology, Zhejiang University, Hangzhou 310007, China
在期刊界中查找
在百度中查找
在本站中查找
WU Jing-Zheng
WU Jing-Zheng
Intelligent Software Research Center, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
LI Yun
LI Yun
Shanghai Huawei Technologies Co. Ltd., Shanghai 201206, China
在期刊界中查找
在百度中查找
在本站中查找
YIN Jian-Wei
YIN Jian-Wei
College of Computer Science and Technology, Zhejiang University, Hangzhou 310007, China
在期刊界中查找
在百度中查找
在本站中查找
WU Yan-Jun
WU Yan-Jun
Intelligent Software Research Center, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [178]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

随着近年来开源软件的蓬勃发展，现代化软件的开发和供应模式极大地促进了开源软件自身的快速迭代和演进，也提高了社会效益.新兴的开源协作的软件开发模式，使得软件开发供应流程由较为单一的线条转变为复杂的网络形态.在盘根错节的开源软件供应关系中，总体安全风险趋势显著上升，日益受到学术界和产业界的重视.针对开源软件供应链，厘清了其关键环节，基于近10年的攻击事件，归纳了开源软件供应链的威胁模型和安全趋势，并通过对现有安全研究成果的调研分析，从风险识别和加固防御这两个方面总结了开源软件供应链安全的研究现状，最后对开源软件供应链安全所面临的挑战和未来研究方向进行了展望和总结.

关键词:开源软件供应链;风险识别;风险管理;安全加固

Abstract:

In recent years, the vigorous development of open source software and the modern software development and supply models have greatly facilitated the rapid iteration and evolution of open source software, resulting in increased social benefits. The emerging collaborative software development model of open source has transformed the software development supply process from a relatively linear path to a complex network structure. Within open-source software's complex and intertwined supply relationships, the overall security risk trend has significantly increased, drawing increasing attention from the academic and industrial communities. This work tries to define the new open-source software supply chain model and, based on attacks that have occurred over the past decade, summarizes the threat model and security trends of the open-source software supply chain. For securing the open-source software supply chain, this work provides a systematic overview from the perspectives of risk identification and reinforced defense and also highlight the new challenges and opportunities.

Key words:open-source software supply chain;risk identification;risk management;security hardening

参考文献

[1] Veracode.State of software security:Open source edition.https://info.veracode.com/report-state-of-software-security-open-source-edition.html

[2] Wu ZH, Zhang C, Sun H, et al.Application research of program reverse analysis in pollution detection of software supply chain:A survey.Journal of Computer Applications, 2020, 40(1):103-115(in Chinese with English abstract).

[3] Zhou ZF.Research on software supply chain contamination mechanism and defense technology.Beijing:Beijing University of Posts and Telecommunications, 2018(in Chinese with English abstract).

[4] He XX, Zhang YQ, Liu QX.Software supply chain security:A survey.Journal of Cyber Security, 2020, 5(1):57-73(in Chinese with English abstract).

[5] Hassija V, Chamola V, Gupta V, et al.A survey on supply chain security:Application areas, security threats, and solution architectures.IEEE Internet of Things Journal, 2021, 8(8):6222-6246.

[6] Du S, Lu T, Zhao L, et al.Towards an analysis of software supply chain risk management.In:Proc.of the World Congress on Engineering and Computer Science, Vol.1.2013.162-167.

[7] GitHub.Build software better, together.https://github.com

[8] Gitee.Software development and collaboration platform.http://gitee.com/

[9] PyPI.The python package index.https://pypi.org/

[10] NPM.Npm.https://www.npmjs.com/

[11] Maven.Maven-Welcome to apache maven.https://maven.apache.org/

[12] OpenWrt Wiki.OPKG package manager.https://openwrt.org/docs/guide-user/additional-software/opkg

[13] RubyGems.Your community gem host.https://rubygems.org/

[14] Amazon.Alexa skills and features.https://www.amazon.com/alexa-skills/b/?ie=UTF8&node=13727921011&ref_=topnav_storetab_a2s

[15] IFTTT.My applets-IFTTT.https://ifttt.com

[16] OpenSSF.Identifying security threats in open source projects.https://github.com/ossf/wg-identifying-security-threats

[17] Lewandowski K, Lodato M.Introducing SLSA, an end-to-end framework for supply chain integrity.2021.https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html

[18] CISA.Supply chain compromise.https://www.cisa.gov/supply-chain-compromise

[19] Torres-Arias S, Afzali H, Kuppusamy TK, et al.In-Toto:Providing farm-to-table guarantees for bits and bytes.In:Proc.of the USENIX Security Symp.2019.1393-1410.

[20] Murray A.Software supply chain attacks.2021.https://www.mend.io/resources/blog/software-supply-chain-attacks/

[21] Webmin.Webmin 1.890 exploit-What happened? https://www.webmin.com/exploit.html

[22] CrowdStrike Intelligence Team.SUNSPOT malware:A technical analysis.https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

[23] SECURELIST.ShadowPad in corporate networks.https://securelist.com/shadowpad-in-corporate-networks/81432/

[24] Wikipedia.XcodeGhost.https://en.wikipedia.org/w/index.php?title=XcodeGhost&oldid=1022461786

[25] The Good Hacker.PHP GIT server hacked and backdoor injected in PHP source code.https://thegoodhacker.com/posts/php-git-server-hacked-and-backdoor-inserted-in-php-source-code/

[26] Pelayo D.I don't know what to say.https://github.com/dominictarr/event-stream/issues/116

[27] Cimpanu C.Hacker backdoors popular JavaScript library to steal bitcoin funds.2018.https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

[28] Cimpanu C.Malware found in arch linux AUR package repository.2018.https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

[29] Gonzalez D, Zimmermann T, Godefroid P, et al.Anomalicious:Automated detection of anomalous and potentially malicious commits on github.In:Proc.of the Int'l Conf.on Software Engineering:Software Engineering in Practice.2021.258-267.

[30] Nutt C.Cloud source host code spaces hacked, developers lose code.2014.https://www.gamasutra.com/view/news/219462/Cloud_source_host_Code_Spaces_hacked_developers_lose_code.php

[31] Codecov.Post-Mortem/Root cause analysis.https://about.codecov.io/apr-2021-post-mortem/

[32] Vu DL, Pashchenko I, Massacci F, et al.Typosquatting and combosquatting attacks on the python ecosystem.In:Proc.of the IEEE European Symp.on Security and Privacy Workshops.2020.509-514.

[33] Cimpanu C.17 backdoored malicious images removed from docker hub, but are you really any safer? 2018.https://www.bleepingcomputer.com/news/security/17-backdoored-docker-images-removed-from-docker-hub

[34] Birsan A.Dependency confusion:How I hacked into apple, Microsoft and dozens of other companies.2021.https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

[35] Heartbleed.The heartbleed bug.https://heartbleed.com/

[36] Grossman N.Extracting a 19 year old code execution from WinRAR.2019.https://research.checkpoint.com/2019/extracting-code-execution-from-winrar/

[37] Fischer F, Böttinger K, Xiao H, et al.Stack overflow considered harmful? The impact of copy and paste on Android application security.In:Proc.of the IEEE Symp.on Security and Privacy.2017.121-136.

[38] Leung L.Cisco sued for copyright infringement over linksys router.2008.https://www.computerworld.com/article/2529871/cisco-sued-for-copyright-infringement-over-linksys-router.html

[39] Mazumdar A, Ross M.Oracle victory stirs uncertainties in software copyright.2018.https://news.bloomberglaw.com/business-and-practice/oracle-victory-stirs-uncertainties-in-software-copyright-1

[40] Cochran J.The WireX botnet:How industry collaboration disrupted a DDoS attack.2017.https://blog.cloudflare.com/the-wirex-botnet/

[41] Wikipedia.Petya (malware).https://en.wikipedia.org/w/index.php?title=Petya_(malware)&oldid=1030666409

[42] TitanWolf.Pandora's box opened:Large-scale software upgrade hijacking attacks broke out in many provinces across the country.https://titanwolf.org/Network/Articles/Article?AID=88595e24-dfc3-48d3-8d22-247fbdd63b89#gsc.tab=0

[43] Kirk J.New malware overwrites software updaters.2010.https://www.computerworld.com/article/2755831/new-malware-overwrites-software-updaters.html

[44] Xiao F, Huang J, Xiong Y, et al.Abusing hidden properties to attack the Node.Js ecosystem.In:Proc.of the USENIX Security Symp.2021.2951-2968.

[45] Wikipedia.Dirty COW.https://en.wikipedia.org/wiki/Dirty_COW

[46] Duan R, Alrawi O, Kasturi RP, et al.Towards measuring supply chain attacks on package managers for interpreted languages.In:Proc.of the Network and Distributed System Security Symp.2021.[doi:10.14722/ndss.2021.23055]

[47] Taylor M, Vaidya R, Davidson D, et al.Defending against package typosquatting.In:Proc.of the Int'l Conf.on Network and System Security.2020.112-131.

[48] Bullock M.Pypi-Parker.https://github.com/mattsb42/pypi-parker

[49] Vu DL, Pashchenko I, Massacci F, et al.Towards using source code repositories to identify software supply chain attacks.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2020.2093-2095.

[50] Davis JC, Williamson ER, Lee D.A sense of time for JavaScript and Node.Js:First-class timeouts as a cure for event handler poisoning.In:Proc.of the USENIX Security Symp.2018.343-359.

[51] Staicu CA, Pradel M, Livshits B.SYNODE:Understanding and automatically preventing injection attacks on NODE.JS.In:Proc.of the Network and Distributed System Security Symp.2018.[doi:10.14722/ndss.2018.23071]

[52] Alexa Developer Official Site.Amazon alexa voice AI.https://developer.amazon.com/en-US/alexa

[53] Google.Google assistant, your own personal Google.https://assistant.google.com/

[54] Zhang N, Mi X, Feng X, et al.Dangerous skills:Understanding and mitigating security risks of voice-controlled third-party functions on virtual personal assistant systems.In:Proc.of the IEEE Symp.on Security and Privacy.2019.1381-1396.

[55] Guo Z, Lin Z, Li P, et al.SkillExplorer:Understanding the behavior of skills in large scale.In:Proc.of the USENIX Security Symp.2020.2649-2666.

[56] Zhang Y, Xu L, Mendoza A, et al.Life after speech recognition:Fuzzing semantic misinterpretation for voice assistant applications.In:Proc.of the Network and Distributed System Security Symp.2019.[doi:10.14722/ndss.2019.23525]

[57] Bastys I, Balliu M, Sabelfeld A.If this then what? Controlling flows in IoT apps.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2018.1102-1119.

[58] Ding W, Hu H.On the safety of IoT device physical interaction control.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2018.832-846.

[59] Wang Q, Datta P, Yang W, et al.Charting the attack surface of trigger-action IoT platforms.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2019.1439-1453.

[60] Alhanahnah M, Stevens C, Bagheri H.Scalable analysis of interaction threats in IoT systems.In:Proc.of the ACM SIGSOFT Int'l Symp.on Software Testing and Analysis.2020.272-285.

[61] Staicu CA, Pradel M.Freezing the Web:A study of ReDoS vulnerabilities in JavaScript-based Web servers.In:Proc.of the USENIX Security Symp.2018.361-376.

[62] Kula RG, Ouni A, German DM, et al.On the impact of micro-packages:An empirical study of the NPM JavaScript ecosystem.arXiv:1709.04638, 2017.

[63] Dey T, Mockus A.Are software dependency supply chain metrics useful in predicting change of popularity of NPM packages? In:Proc.of the Int'l Conf.on Predictive Models and Data Analytics in Software Engineering.2018.66-69.

[64] Zerouali A, Mens T, Gonzalez-Barahona J, et al.A formal framework for measuring technical lag in component repositories-And its application to npm.Journal of Software:Evolution and Process, 2019, 31(8):Article No.e2157.

[65] Zimmermann M, Staicu CA, Pradel M.Small world with high risks:A study of security threats in the Npm ecosystem.In:Proc.of the USENIX Security Symp.2019.995-1010.

[66] Decan A, Mens T, Constantinou E.On the impact of security vulnerabilities in the npm package dependency network.In:Proc.of the Int'l Conf.on Mining Software Repositories.Association for Computing Machinery, 2018.181-191.

[67] Ruohonen J.An empirical analysis of vulnerabilities in python packages for Web applications.In:Proc.of the Int'l Workshop on Empirical Software Engineering in Practice.2018.25-30.

[68] Cheng L, Wilson C, Liao S, et al.Dangerous skills got certified:Measuring the trustworthiness of skill certification in voice personal assistant platforms.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2020.1699-1716.

[69] Alhadlaq A, Tang J, Almaymoni M.Privacy in the Amazon alexa skills ecosystem.In:Proc.of the Workshop on Hot Topics in Privacy Enhancing Technologies.2017.https://petsymposium.org/2017/papers/hotpets/amazon-alexa-skills-ecosystem-privacy.pdf

[70] Lentzsch C, Shah SJ, Andow B, et al.Hey alexa, is this skill safe? Taking a closer look at the alexa skill ecosystem.In:Proc.of the Network and Distributed System Security Symp.2021.[doi:10.14722/ndss.2021.23111]

[71] Li Y, Ji S, Chen Y, et al.UNIFUZZ:A holistic and pragmatic metrics-driven platform for evaluating fuzzers.In:Proc.of the USENIX Security Symp.2021.2777-2794.

[72] Lyu C, Ji S, Zhang C, et al.MOPT:Optimized mutation scheduling for fuzzers.In:Proc.of the USENIX Security Symp.2019.1949-1966.

[73] Wang Q, Ji S, Tian Y, et al.MPInspector:A systematic and automatic approach for evaluating the security of IoT messaging protocols.In:Proc.of the USENIX Security Symp.2021.4205-4222.

[74] Wang L, Li F, Li L,et al.Principle and practice of taint analysis.Ruan Jian Xue Bao/Journal of Software, 2017, 28(4):860-882(in Chinese with English abstract).http://www.jos.org.cn/1000-9825/5190.htm[doi:10.13328/j.cnki.jos.005190]

[75] Bleser JD, Stiévenart Q, Nicolay J, et al.Static taint analysis of event-driven scheme programs.In:Proc.of the European Lisp Symp.ACM, 2017.80-87.

[76] Karim R, Tip F, Sochůrková A, et al.Platform-independent dynamic taint analysis for JavaScript.IEEE Trans.on Software Engineering, 2020, 46(12):1364-1379.

[77] Kreindl J, Bonetta D, Mössenböck H.Towards efficient, multi-language dynamic taint analysis.In:Proc.of the ACM SIGPLAN Int'l Conf.on Managed Programming Languages and Runtimes.2019.85-94.

[78] Staicu CA, Torp MT, Schäfer M, et al.Extracting taint specifications for JavaScript libraries.In:Proc.of the ACM/IEEE 42nd Int'l Conf.on Software Engineering.New York:Association for Computing Machinery, 2020.198-209.

[79] Manes VJM, Han H, Han C, et al.The art, science, and engineering of fuzzing:A survey.IEEE Trans.on Software Engineering, 2021, 47(11):2312-2331.

[80] Ren ZZ, Zheng H, Zhang JY, et al.A review of fuzzing techniques.Journal of Computer Research and Development, 2021, 58(5):944-963(in Chinese with English abstract).

[81] Lee S, Yoon C, Lee C, et al.DELTA:A security assessment framework for software-defined networks.In:Proc.of the Network and Distributed System Security Symp.2017.[doi:10.14722/ndss.2017.23457]

[82] Han H, Cha SK.IMF:Inferred model-based fuzzer.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2017.2345-2358.

[83] Chen J, Diao W, Zhao Q, et al.IoTFuzzer:Discovering memory corruptions in IoT through app-based fuzzing.In:Proc.of the Network and Distributed System Security Symp.2018.[doi:10.14722/ndss.2018.23159]

[84] Yun I, Lee S, Xu M, et al.QSYM:A practical concolic execution engine tailored for hybrid fuzzing.In:Proc.of the USENIX Security Symp.2018.745-761.

[85] Li Y, Ji S, Lyu C, et al.V-Fuzz:Vulnerability prediction-assisted evolutionary fuzzing for binary programs.IEEE Trans.on Cybernetics, 2020, 52(5):3745-3756.

[86] Zheng Y, Davanian A, Yin H, et al.FIRM-AFL:High-throughput greybox fuzzing of IoT firmware via augmented process emulation.In:Proc.of the USENIX Security Symp.2019.1099-1114.

[87] Google.American fuzzy lop.https://lcamtuf.coredump.cx/afl/

[88] Tellnes J.Dependencies:No software is an island[MS.Thesis].The University of Bergen, 2013.

[89] OWASP.OWASP dependency-check project.https://owasp.org/www-project-dependency-check/

[90] Cadariu M, Bouwers E, Visser J, et al.Tracking known security vulnerabilities in proprietary software systems.In:Proc.of the Int'l Conf.on Software Analysis, Evolution, and Reengineering.2015.

[91] Backes M, Bugiel S, Derr E.Reliable third-party library detection in Android and its security applications.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2016.356-367.

[92] Zhan X, Fan L, Chen S, et al.ATVHunter:Reliable version detection of third-party libraries for vulnerability identification in Android applications.In:Proc.of the Int'l Conf.on Software Engineering.2021.1695-1707.

[93] Woo S, Park S, Kim S, et al.CENTRIS:A precise and scalable approach for identifying modified open-source software reuse.In:Proc.of the Int'l Conf.on Software Engineering.2021.860-872.

[94] Li M, Wang W, Wang P, et al.LibD:Scalable and precise third-party library detection in Android markets.In:Proc.of the Int'l Conf.on Software Engineering.2017.335-346.

[95] Ponta SE, Plate H, Sabetta A.Detection, assessment and mitigation of vulnerabilities in open source dependencies.Empirical Software Engineering, 2020, 25(5):3175-3215.

[96] Duan R, Bijlani A, Xu M, et al.Identifying open-source license violation and 1-day security risk at large scale.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2017.2169-2185.

[97] Ohm M, Sykosch A, Meier M.Towards detection of software supply chain attacks by forensic artifacts.In:Proc.of the Int'l Conf.on Availability, Reliability and Security.2020.1-6.

[98] Akram J, Luo P.SQVDT:A scalable quantitative vulnerability detection technique for source code security assessment.Software:Practice and Experience, 2021, 51(2):294-318.

[99] Donovan R.Copying code from stack overflow? You might paste security vulnerabilities, tool.2019.https://stackoverflow.blog/2019/11/26/copying-code-from-stack-overflow-you-might-be-spreading-security-vulnerabilities/

[100] Bilgin Z, Ersoy MA, Soykan EU, et al.Vulnerability prediction from source code using machine learning.IEEE Access, 2020, 8:150672-150684.

[101] Xu X, Liu C, Feng Q, et al.Neural network-based graph embedding for cross-platform binary code similarity detection.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2017.363-376.

[102] Ding SHH, Fung BCM, Charland P.Asm2Vec:Boosting static representation robustness for binary clone search against code obfuscation and compiler optimization.In:Proc.of the IEEE Symp.on Security and Privacy.2019.472-489.

[103] Li X, Qu Y, Yin H.PalmTree:Learning an assembly language model for instruction embedding.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2021.3236-3251.

[104] Hemel A, Kalleberg KT, Vermaas R, et al.Finding software license violations through binary code clone detection.In:Proc.of the Working Conf.on Mining Software Repositories.2011.63-72.

[105] Zhou W, Zhou Y, Jiang X, et al.Detecting repackaged smartphone applications in third-party Android marketplaces.In:Proc.of the ACM Conf.on Data and Application Security and Privacy.2012.317-326.

[106] Golubev Y, Eliseeva M, Povarov N, et al.A study of potential code borrowing and license violations in Java projects on GitHub.In:Proc.of the Int'l Conf.on Mining Software Repositories.2020.54-64.

[107] Sajnani H, Saini V, Svajlenko J, et al.SourcererCC:Scaling code clone detection to big-code.In:Proc.of the Int'l Conf.on Software Engineering.2016.1157-1168.

[108] Crussell J, Gibler C, Chen H.AnDarwin:Scalable detection of Android application clones based on semantics.IEEE Trans.on Mobile Computing, 2015, 14(10):2007-2019.

[109] Gonzalez H, Stakhanova N, Ghorbani AA.DroidKin:Lightweight detection of Android apps similarity.In:Proc.of the Int'l Conf.on Security and Privacy in Communication Networks.2015.436-453.

[110] Wan L.Automated vulnerability detection system based on commit messages[Ph.D.Thesis].Nanyang Technological University, 2019.

[111] Andrade R.Privacy and security constraints for code contributions.In:Proc.of the ACM SIGPLAN Int'l Conf.on Systems, Programming, Languages and Applications:Software for Humanity.2015.27-29.

[112] Wu Q, Lu K.On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commit.2021.http://www.coding-guidelines.com/code-data/OpenSourceInsecurity.pdf

[113] Google.OSS-Fuzz.https://google.github.io/oss-fuzz/

[114] Google.Overview of ClusterFuzzLite.https://google.github.io/clusterfuzzlite/overview/

[115] Sinha VS, Saha D, Dhoolia P, et al.Detecting and mitigating secret-key leaks in source code repositories.In:Proc.of the Working Conf.on Mining Software Repositories.2015.396-400.

[116] Meli M, McNiece MR, Reaves B.How bad can it git? Characterizing secret leakage in public GitHub repositories.In:Proc.of the Network and Distributed System Security Symp.2019.Article No.04B-3.

[117] Garrett K, Ferreira G, Jia L, et al.Detecting suspicious package updates.In:Proc.of the Int'l Conf.on Software Engineering:New Ideas and Emerging Results.2019.13-16.

[118] Teng JH, Guang Y, Shu H, et al.Automatic detection method for software upgrade vulnerabilities based on traffic analysis.Chinese Journal of Network and Information Security, 2020, 6(1):94-108(in Chinese with English abstract).

[119] Gerwitz M.A git horror story:Repository integrity with signed commits.2012.https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits

[120] Tedhudek.Trusted publishers certificate store.2022.https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-publishers-certificate-store

[121] Neelakantam S, Pant T.Learning Web-based virtual reality:Build and deploy Web-based virtual reality technology.Apress, 2017.69-79.

[122] Lamb C, Zacchiroli S.Reproducible builds:Increasing the integrity of software supply chains.IEEE Software, 2021, 39(2):62-70.

[123] Ullah F, Raft A, Shahin M, et al.Security support in continuous deployment pipeline.arXiv:1703.04277, 2017.

[124] Bass L, Holz R, Rimba P, et al.Securing a deployment pipeline.In:Proc.of the Int'l Workshop on Release Engineering.2015.4-7.

[125] Soliman J.External library management.2017.https://engineering.linkedin.com/blog/2017/08/external-library-management——making-continuous-delivery-reliable

[126] Koishybayev I, Kapravelos A.Mininode:Reducing the attack surface of Node.Js applications.In:Proc.of the Int'l Symp.on Research in Attacks, Intrusions and Defenses.2020.121-134.

[127] Nguyen DC, Derr E, Backes M, et al.Up2Dep:Android tool support to fix insecure code dependencies.In:Proc.of the Annual Computer Security Applications Conf.2020.263-276.

[128] Vasilakis N, Karel B, Roessler N, et al.BreakApp:Automated, flexible application compartmentalization.In:Proc.of the Network and Distributed System Security Symp.2018.Article No.08-3.

[129] Vasilakis N, Benetopoulos A, Handa S, et al.Supply-chain vulnerability elimination via active learning and regeneration.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2021.1755-1770.

[130] CVSS.Common vulnerability scoring system SIG.https://www.first.org/cvss

[131] Younis AA, Malaiya YK, Ray I.Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability.In:Proc.of the Int'l Symp.on High-assurance Systems Engineering.2014.1-8.

[132] Plate H, Ponta SE, Sabetta A.Impact assessment for vulnerabilities in open-source software libraries.In:Proc.of the Int'l Conf.on Software Maintenance and Evolution.2015.411-420.

[133] Wu Q, He Y, McCamant S, et al.Precisely characterizing security impact in a flood of patches via symbolic rule comparison.In:Proc.of the Network and Distributed System Security Symp.2020.Article No.24419.

[134] Zhang H, Qian Z.Precise and accurate patch presence test for binaries.In:Proc.of the USENIX Security Symp.2018.887-902.

[135] Jiang Z, Zhang Y, Xu J, et al.PDiff:Semantic-based patch presence testing for downstream kernels.In:Proc.of the ACM SIGSAC Conf.on Computer and Communications Security.2020.1149-1163.

[136] Dai J, Zhang Y, Jiang Z, et al.BScout:Direct whole patch presence test for Java executables.In:Proc.of the USENIX Security Symp.2020.1147-1164.

[137] Chen Y, Zhang Y, Wang Z, et al.Adaptive Android kernel live patching.In:Proc.of the USENIX Security Symp.2017.1253-1270.

[138] Duan R, Bijlani A, Ji Y, et al.Automating patching of vulnerable open-source software versions in application binaries.In:Proc.of the Network and Distributed System Security Symp.2019.Article No.05A-3.

[139] Wang X, Sun K, Batcheller A, et al.An empirical study of secret security patch in open source software.In:Proc.of the Adaptive Autonomous Secure Cyber Systems.2020.269-289.

[140] Wang X, Sun K, Batcheller A, et al.Detecting "0-day" vulnerability:An empirical study of secret security patch in OSS.In:Proc.of the Annual IEEE/IFIP Int'l Conf.on Dependable Systems and Networks.2019.485-492.

[141] Apple Developer.Distribute.https://developer.apple.com/distribute/

[142] Npm Docs.Npm-audit.https://docs.npmjs.com/cli/v7/commands/npm-audit

[143] Android.Download Android studio and SDK tools.https://developer.android.com/studio

[144] ProGuard.Java obfuscator and Android app optimizer.https://www.guardsquare.com/proguard

[145] Song L, Tang Z, Li Z, et al.AppIS:Protect Android apps against runtime repackaging attacks.In:Proc.of the Int'l Conf.on Parallel and Distributed Systems.2017.25-32.

[146] Gregor F, Ozga W, Vaucher S, et al.Trust management as a service:Enabling trusted execution in the face of Byzantine stakeholders.In:Proc.of the Int'l Conf.on Dependable Systems and Networks.2019.502-514.

[147] Ozga W, Quoc DL, Fetzer C.A practical approach for updating an integrity-enforced operating system.In:Proc.of the Int'l Middleware Conf.2020.311-325.

[148] Karthik T, Brown A, Awwad S, et al.Uptane:Securing software updates for automobiles.In:Proc.of the Int'l Conf.on Embedded Security in Car.2016.1-11.

[149] Singi K, RP JC, Podder S, et al.Trusted software supply chain.In:Proc.of the Int'l Conf.on Automated Software Engineering.2019.1212-1213.

[150] Samuel J, Mathewson N, Cappos J, et al.Survivable key compromise in software update systems.In:Proc.of the ACM Conf.on Computer and Communications Security.2010.61-72.

[151] Kuppusamy TK, Torres-Arias S, Diaz V, et al.Diplomat:Using delegations to protect community repositories.In:Proc.of the USENIX Symp.on Networked Systems Design and Implementation.2016.567-581.

[152] Kuppusamy TK, Diaz V, Cappos J.Mercury:Bandwidth-effective prevention of rollback attacks against community repositories.In:Proc.of the USENIX Annual Technical Conf.2017.Article No.17.

[153] Brown F, Mirian A, Jaiswal A, et al.SPAM:A secure package manager.In:Proc.of the USENIX HotSec 2017.2017.

[154] Cappos J, Samuel J, Baker S, et al.Package management security.Technical Report, 2018:08-02, University of Arizona, 2018.

[155] Nikitin K, Kokoris-Kogias E, Jovanovic P, et al.CHAINIAC:Proactive software-update transparency via collectively signed skipchains and verified builds.In:Proc.of the USENIX Security Symp.2017.

[156] Stengele O, Baumeister A, Birnstill P, et al.Access control for binary integrity protection using Ethereum.In:Proc.of the ACM Symp.on Access Control Models and Technologies.2019.3-12.

[157] Guarnizo J, Alangot B, Szalachowski P.SmartWitness:A proactive software transparency system using smart contracts.In:Proc.of the ACM Int'l Symp.on Blockchain and Secure Critical Infrastructure.2020.117-129.

[158] Boyens JM, Paulsen C, Moorthy R, et al.Supply chain risk management practices for federal information systems and organizations.In:Proc.of the NIST Special Publication.2015.32.

[159] Cooper D, Regenscheid A, Souppaya M, et al.Security Considerations for Code Signing.NIST Cybersecurity White Paper, 2018.

[160] CISA.Defending against software supply chain attacks.https://www.cisa.gov/publication/software-supply-chain-attacks

[161] UK National Cyber Security Centre.Supply chain security guidance.https://www.ncsc.gov.uk/collection/supply-chain-security

[162] UK National Cyber Security Centre.Secure development and deployment guidance.https://www.ncsc.gov.uk/collection/developers-collection

[163] UK National Cyber Security Centre.Defending software build pipelines from malicious attack.https://www.ncsc.gov.uk/blog-post/defending-software-build-pipelines-from-malicious-attack

[164] National Security Science and Technology Evaluation Center.GB/T 36637-2018 Standard Interpretation.2020(in Chinese with English abstract).http://www.gjbmj.gov.cn/n1/2020/0115/c411145-31550085.html

[165] Coughlan S.OpenChain 2.1 is ISO/IEC 5230:2020, the Int'l standard for open source compliance.2020.https://www.openchainproject.org/featured/2020/12/15/openchain-2-1-is-iso5230

[166] Clancy DC, Ferraro J, Martin RA, et al.Deliver uncompromised:Securing critical software supply chains.2021.https://www.mitre.org/sites/default/files/2021-11/prs-21-0278-deliver-uncompromised-securing-critical-software-supply-chain.pdf

[167] Microsoft Cybersecurity.Cyber supply chain risk management.https://www.microsoft.com/en-us/cybersecurity/content-hub/cyber-supply-chain-risk-management

[168] Huawei Technologies Co.Ltd.Huawei Released 2016 Cyber Security White Paper.2016(in Chinese with English abstract).https://www.huawei.com/cn/news/2016/6/2016-Cyber-Security-White-Paper

[169] Red Hat.How to use a trusted software supply chain to adopt DevSecOps.2020.https://www.redhat.com/en/resources/ve-trusted-software-supply-chain-brief

附中文参考文献

[2] 武振华, 张超, 孙贺, 等.程序逆向分析在软件供应链污染检测中的应用研究综述.计算机应用, 2020, 40(1):103-115.

[3] 周振飞.软件供应链污染机理与防御研究.北京:北京邮电大学, 2018.

[4] 何熙巽, 张玉清, 刘奇旭.软件供应链安全综述.信息安全学报, 2020, 5(1):57-73.

[74] 王蕾,李丰, 李炼, 等.污点分析技术的原理和实践应用.软件学报, 2017, 28(4):860-882.http://www.jos.org.cn/1000-9825/5190.htm[doi:10.13328/j.cnki.jos.005190]

[80] 任泽众, 郑晗, 张嘉元, 等.模糊测试技术综述.计算机研究与发展, 2021, 58(5):944-963.

[118] 腾金辉, 光焱, 舒辉, 等.基于流量分析的软件升级漏洞自动检测方法.网络与信息安全学报, 2020, 6(1):94-108.

[164] 国家保密科技测评中心.GB∕T 36637-2018《信息安全技术ICT供应链安全风险管理指南》标准解读.2020.http://www.gjbmj.gov.cn/n1/2020/0115/c411145-31550085.html

[168] 华为技术有限公司.华为发布2016年网络安全白皮书.2016.https://www.huawei.com/cn/news/2016/6/2016-Cyber-Security-White-Paper

引用本文

纪守领,王琴应,陈安莹,赵彬彬,叶童,张旭鸿,吴敬征,李昀,尹建伟,武延军.开源软件供应链安全研究综述.软件学报,2023,34(3):1330-1364

复制

文章指标

点击次数:3945
下载次数: 6773
HTML阅读次数: 4535
引用次数: 0

历史

收稿日期:2021-08-23
最后修改日期:2021-12-31
录用日期:
在线发布日期: 2022-07-22
出版日期: 2023-03-06

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码