开源软件供应链安全研究综述
作者:
作者单位:

1.浙江大学计算机科学与技术学院;2.浙江大学滨江研究院;3.中国科学院软件研究所;4.上海华为技术有限公司;5.浙江大学


State-of-the-Art Survey of Open-source Software Supply Chain Security
Author:
Affiliation:

Zhejiang University

  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [156]
  • | |
  • 引证文献
  • | |
  • 文章评论
    摘要:

    随着近年来开源软件的蓬勃发展, 现代化软件的开发和供应模式极大地促进开源软件自身的快速迭代和演进, 也提高了社会效益. 新兴的开源协作的软件开发模式使得软件开发供应流程由较为单一的线条转变为复杂的网络形态. 在盘根错节的开源软件供应关系中, 总体安全风险趋势显著上升, 日益受到学术界和产业界的重视.本文总结了开源软件供应链的关键环节, 基于近10年的攻击事件总结了开源软件供应链的威胁模型和安全趋势, 并通过对现有安全研究成果的调研分析, 从风险识别和加固防御两个方面总结了开源软件供应链安全的研究现状, 最后对开源软件供应链安全所面临的挑战和未来研究方向进行了展望和总结.

    Abstract:

    Software development is changing. Since the Internet allows far-flung development teams to collaboratively create software, open-source software supply chains are becoming more complex and sophisticated. This work tries to define the new open-source software supply chain model and presents a detailed survey of the security issues in the new open-source software supply chain architecture. Various emerging technologies, such as blockchain, machine learning (ML), and continuous fuzzing as solutions to the vulnerabilities in the open-source software supply chain have also been discussed. While many researchers and organizations are have already proposed new technologies and principles to handle the security issues in this area, proper and more effective solutions remain distant. There are new challenges and opportunities to secure the open-source software supply chain, which are also highlighted in this work.

    参考文献
    [1] Veracode. State of Software Security: Open Source Edition. 2020. https://info.veracode.com/report-state-of-software-security-open-source-edition.html
    [2] Wu Z, Zhang C, Sun H, et al. Application Research of Program Reverse Analysis in Pollution Detection of Software Supply Chain: A Survey. Journal of Computer Applications, 2020, 40(01): 103–115.
    [3] Zhenfei Z. Research on Pollution Mechanism and Defense of Software Supply Chain. Beijing University of Posts and Telecommunications.
    [4] He X, zhang Y, Liu Q. Software Supply Chain Security: A Survey. Journal of Cyber Security, 2020, 5(01): 57–73.
    [5] Hassija V, Chamola V, Gupta V, et al. A Survey on Supply Chain Security: Application Areas, Security Threats, and Solution Architectures. IEEE Internet of Things Journal, 2021, 8(8): 6222–6246.
    [6] Du S, Lu T, Zhao L, et al. Towards An Analysis of Software Supply Chain Risk Management. 2013: 6.
    [7] GitHub. Build Software Better, Together. 2021. https://github.com
    [8] Gitee. Software Development and Collaboration Platform. 2021. http://gitee.com/
    [9] PyPI. The Python Package Index. 2021. https://pypi.org/
    [10] NPM. Npm. 2021. https://www.npmjs.com/
    [11] Maven. Maven – Welcome to Apache Maven. https://maven.apache.org/
    [12] OpenWrt Wiki. Opkg Package Manager. 2021. https://openwrt.org/docs/guide-user/additional-software/opkg
    [13] RubyGems. Your Community Gem Host. 2021. https://rubygems.org/
    [14] Amazon. Alexa Skills and Features. https://www.amazon.com/alexa-skills/b/?ie=UTF8&node=13727921011&ref_=topnav_storetab_a2s
    [15] IFTTT. My Applets - IFTTT. 2021. https://ifttt.com
    [16] OpenSSF. Identifying Security Threats in Open Source Projects. https://github.com/ossf/wg-identifying-security-threats
    [17] Google. Introducing SLSA, an End-to-End Framework for Supply Chain Integrity. 2021. https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
    [18] CISA. Supply Chain Compromise. https://www.cisa.gov/supply-chain-compromise
    [19] Torres-Arias S, Afzali H, Kuppusamy T K, et al. In-Toto: Providing Farm-to-Table Guarantees for Bits and Bytes.
    [20] Anonymous. Software Supply Chain Attacks | WhiteSource. https://www.whitesourcesoftware.com/resources/blog/software-supply-chain-attacks/
    [21] Vu D-L, Pashchenko I, Massacci F, et al. Typosquatting and Combosquatting Attacks on the Python Ecosystem. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW).
    [22] Anonymous. 17 Backdoored Malicious Images Removed From Docker Hub, But Are You Really Any Safer?. https://blog.neuvector.com/article/backdoored-images-removed
    [23] Birsan A. Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
    [24] The Good Hacker. PHP GIT Server Hacked and Backdoor Injected in PHP Source Code. https://thegoodhacker.com/posts/php-git-server-hacked-and-backdoor-inserted-in-php-source-code/
    [25] Pelayo D. I Don’t Know What to Say. · Issue #116 · Dominictarr/Event-Stream. https://github.com/dominictarr/event-stream/issues/116
    [26] Cimpanu C. Hacker Backdoors Popular JavaScript Library to Steal Bitcoin Funds. https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/
    [27] Cimpanu C. Malware Found in Arch Linux AUR Package Repository. https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
    [28] Anonymous. ShadowPad in Corporate Networks. https://securelist.com/shadowpad-in-corporate-networks/81432/
    [29] Gonzalez D, Zimmermann T, Godefroid P, et al. Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub. IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), 2021.
    [30] Nutt C. Cloud Source Host Code Spaces Hacked, Developers Lose Code. https://www.gamasutra.com/view/news/219462/Cloud_source_host_Code_Spaces_hacked_developers_lose_code.php
    [31] Anonymous. Webmin 1.890 Exploit - What Happened?. https://www.webmin.com/exploit.html
    [32] CrowdStrike Intelligence Team. SUNSPOT Malware: A Technical Analysis. https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
    [33] Anonymous. XcodeGhost. https://en.wikipedia.org/w/index.php?title=XcodeGhost&oldid=1022461786
    [34] Codecov. Post-Mortem / Root Cause Analysis. https://about.codecov.io/apr-2021-post-mortem/
    [35] Anonymous. The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack. https://blog.cloudflare.com/the-wirex-botnet/
    [36] Anonymous. Petya (Malware). https://en.wikipedia.org/w/index.php?title=Petya_(malware)&oldid=1030666409
    [37] Anonymous. Pandora’s Box Opened: Large-Scale Software Upgrade Hijacking Attacks Broke out in Many Provinces across the Country(Others-Community). https://titanwolf.org/Network/Articles/Article?AID=88595e24-dfc3-48d3-8d22-247fbdd63b89#gsc.tab=0
    [38] Anonymous. New Malware Overwrites Software Updaters | Computerworld. https://www.computerworld.com/article/2755831/new-malware-overwrites-software-updaters.html
    [39] Xiao F, Huang J, Xiong Y, et al. Abusing Hidden Properties to Attack the Node.Js Ecosystem. 2021: 18.
    [40] Anonymous. Dirty COW - Wikipedia. https://en.wikipedia.org/wiki/Dirty_COW
    [41] Taylor M, Vaidya R, Davidson D, et al. Defending Against Package Typosquatting. Kuty?owski M, Zhang J, Chen C, eds.Network and System Security. Cham: Springer International Publishing, 2020: 112–131.
    [42] Bullock M. Pypi-Parker. https://github.com/mattsb42/pypi-parker
    [43] Vu D L, Pashchenko I, Massacci F, et al. Towards Using Source Code Repositories to Identify Software Supply Chain Attacks. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2020: 2093–2095.
    [44] Davis J C, Williamson E R, Lee D. A Sense of Time for JavaScript and Node.Js: First-Class Timeouts as a Cure for Event Handler Poisoning.
    [45] Staicu C-A, Pradel M, Livshits B. SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. Proceedings 2018 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2018.
    [46] Duan R, Alrawi O, Kasturi R P, et al. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. Proceedings 2021 Network and Distributed System Security Symposium. Virtual: Internet Society, 2021.
    [47] Alexa Developer Official Site. Amazon Alexa Voice AI. https://developer.amazon.com/en-US/alexa
    [48] Google. Google Assistant, Your Own Personal Google. https://assistant.google.com/
    [49] Zhang N, Mi X, Feng X, et al. Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems. IEEE Symposium on Security and Privacy (SP), 2019.
    [50] Guo Z, Lin Z, Li P, et al. SkillExplorer: Understanding the Behavior of Skills in Large Scale. 29th USENIX Security Symposium (USENIX Security 20), 2020: 2649–2666.
    [51] Zhang Y, Xu L, Mendoza A, et al. Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications. Proceedings 2019 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2019.
    [52] Bastys I, Balliu M, Sabelfeld A. If This Then What? Controlling Flows in IoT Apps. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2018: 1102–1119.
    [53] Ding W, Hu H. On the Safety of IoT Device Physical Interaction Control. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2018: 832–846.
    [54] Wang Q, Datta P, Yang W, et al. Charting the Attack Surface of Trigger-Action IoT Platforms. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2019: 1439–1453.
    [55] Alhanahnah M, Stevens C, Bagheri H. Scalable Analysis of Interaction Threats in IoT Systems. Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York, NY, USA: Association for Computing Machinery, 2020: 272–285.
    [56] Tellnes J. Dependencies: No Software Is an Island.
    [57] OWASP. OWASP Dependency-Check Project. https://owasp.org/www-project-dependency-check/
    [58] Cadariu M, Bouwers E, Visser J, et al. Tracking Known Security Vulnerabilities in Proprietary Software Systems. IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2015.
    [59] Backes M, Bugiel S, Derr E. Reliable Third-Party Library Detection in Android and Its Security Applications. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2016: 356–367.
    [60] Zhan X, Fan L, Chen S, et al. ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android Applications. IEEE/ACM 43rd International Conference on Software Engineering (ICSE), 2021.
    [61] Woo S, Park S, Kim S, et al. CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse. IEEE/ACM 43rd International Conference on Software Engineering (ICSE), 2021.
    [62] Xu X, Liu C, Feng Q, et al. Neural Network-Based Graph Embedding for Cross-Platform Binary Code Similarity Detection. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2017: 363–376.
    [63] Ding S H H, Fung B C M, Charland P. Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization. IEEE Symposium on Security and Privacy (SP), 2019.
    [64] Li M, Wang W, Wang P, et al. LibD: Scalable and Precise Third-Party Library Detection in Android Markets. IEEE/ACM 39th International Conference on Software Engineering (ICSE), 2017.
    [65] Ponta S E, Plate H, Sabetta A. Detection, Assessment and Mitigation of Vulnerabilities in Open Source Dependencies. Empirical Software Engineering, 2020, 25(5): 3175–3215.
    [66] Duan R, Bijlani A, Xu M, et al. Identifying Open-Source License Violation and 1-Day Security Risk at Large Scale. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2017: 2169–2185.
    [67] Ohm M, Sykosch A, Meier M. Towards Detection of Software Supply Chain Attacks by Forensic Artifacts. Proceedings of the 15th International Conference on Availability, Reliability and Security. New York, NY, USA: Association for Computing Machinery, 2020: 1–6.
    [68] Staicu C-A, Pradel M. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers.
    [69] Kula R G, Ouni A, German D M, et al. On the Impact of Micro-Packages: An Empirical Study of the Npm JavaScript Ecosystem[. ArXiv:1709.04638 [Cs].
    [70] Dey T, Mockus A. Are Software Dependency Supply Chain Metrics Useful in Predicting Change of Popularity of NPM Packages? Proceedings of the 14th International Conference on Predictive Models and Data Analytics in Software Engineering. New York, NY, USA: Association for Computing Machinery, 2018: 66–69.
    [71] Zerouali A, Mens T, Gonzalez-Barahona J, et al. A Formal Framework for Measuring Technical Lag in Component Repositories — and Its Application to Npm. Journal of Software: Evolution and Process, 2019, 31(8): e2157.
    [72] Zimmermann M, Staicu C-A, Pradel M. Small World with High Risks: A Study of Security Threats in the Npm Ecosystem. USENIX Security 2019, 2019: 17.
    [73] Decan A, Mens T, Constantinou E. On the Impact of Security Vulnerabilities in the Npm Package Dependency Network. Proceedings of the 15th International Conference on Mining Software Repositories. New York, NY, USA: Association for Computing Machinery, 2018: 181–191.
    [74] Ruohonen J. An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications. 2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP).
    [75] Cheng L, Wilson C, Liao S, et al. Dangerous Skills Got Certified: Measuring the Trustworthiness of Skill Certification inVoice Personal Assistant Platforms. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Virtual Event, USA: Association for Computing Machinery, 2020: 1699–1716.
    [76] Alhadlaq A, Tang J, Almaymoni M. Privacy in the Amazon Alexa Skills Ecosystem. 10th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs), 2017: 2.
    [77] Lentzsch C, Shah S J, Andow B, et al. Hey Alexa, Is This Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem. NDSS Symposium, 2021.
    [78] Dey T, Mockus A. Effect of Technical and Social Factors on Pull Request Quality for the NPM Ecosystem. Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). New York, NY, USA: Association for Computing Machinery, 2020: 1–11.
    [79] Wan L. Automated Vulnerability Detection System Based on Commit Messages. Nanyang Technological University, 2019.
    [80] Andrade R. Privacy and Security Constraints for Code Contributions. Companion Proceedings of the 2015 ACM SIGPLAN International Conference on Systems, Programming, Languages and Applications: Software for Humanity. New York, NY, USA: Association for Computing Machinery, 2015: 27–29.
    [81] Sinha V S, Saha D, Dhoolia P, et al. Detecting and Mitigating Secret-Key Leaks in Source Code Repositories.2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.
    [82] Meli M, McNiece M R, Reaves B. How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories. Proceedings 2019 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2019.
    [83] Garrett K, Ferreira G, Jia L, et al. Detecting Suspicious Package Updates. 2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER).
    [84] Teng J, Guang Y, Shu H, et al. Automatic Detection Method for Software Upgrade Vulnerabilities based on Traffic Analysis. Chinese Journal of Network and Information Security, 2020, 6(01): 94–108.
    [85] Li Y, Ji S, Chen Y, et al. UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers. 30th USENIX Security Symposium (USENIX Security 21).
    [86] Lyu C, Ji S, Zhang C, et al. MOPT: Optimized Mutation Scheduling for Fuzzers. 28th USENIX Security Symposium (USENIX Security 19), 2019: 1949–1966.
    [87] Wang Q, Ji S, Tian Y, et al. MPInspector: A Systematic and Automatic Approach for Evaluating the Security of IoT Messaging Protocols. 30th USENIX Security Symposium (USENIX Security 21), 2021: 4205–4222.
    [88] Wang L, Feng L, Lian L, et al. Principle and Practice of Taint Analysis. Journal of Software, 2017, 28(4): 860–882.
    [89] Bleser J D, Stiévenart Q, Nicolay J, et al. Static Taint Analysis of Event-Driven Scheme Programs. Proceedings of the 10th European Lisp Symposium. ACM, 2017: 80–87.
    [90] Karim R, Tip F, Soch?rková A, et al. Platform-Independent Dynamic Taint Analysis for JavaScript. IEEE Transactions on Software Engineering, 2020, 46(12): 1364–1379.
    [91] Kreindl J, Bonetta D, M?ssenb?ck H. Towards Efficient, Multi-Language Dynamic Taint Analysis. Proceedings of the 16th ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes. New York, NY, USA: Association for Computing Machinery, 2019: 85–94.
    [92] Staicu C-A, Torp M T, Sch?fer M, et al. Extracting Taint Specifications for JavaScript Libraries. Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. New York, NY, USA: Association for Computing Machinery, 2020: 198–209.
    [93] Manes V J M, Han H, Han C, et al. The Art, Science, and Engineering of Fuzzing: A Survey. IEEE Transactions on Software Engineering, 2019(01): 1–1.
    [94] Ren Z, Zheng H, Zhang J, et al. A Review of Fuzzing Techniques. Journal of Computer Research and Development, 2021, 58(5): 944.
    [95] Lee S, Yoon C, Lee C, et al. DELTA: A Security Assessment Framework for Software-Defined Networks.
    [96] Han H, Cha S K. IMF: Inferred Model-Based Fuzzer. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2017: 2345–2358.
    [97] Chen J, Diao W, Zhao Q, et al. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-Based Fuzzing. Proceedings 2018 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2018.
    [98] Yun I, Lee S, Xu M, et al. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. 27th USENIX Security Symposium (USENIX Security 18), 2018: 745–761.
    [99] Li Y, Ji S, Lyu C, et al. V-Fuzz: Vulnerability Prediction-Assisted Evolutionary Fuzzing for Binary Programs. IEEE Transactions on Cybernetics, 2020: 1–12.
    [100] Zheng Y, Davanian A, Yin H, et al. FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation. 28th USENIX Security Symposium (USENIX Security 19), 2019: 1099–1114.
    [101] Google. American Fuzzy Lop. https://lcamtuf.coredump.cx/afl/
    [102] Bilgin Z, Ersoy M A, Soykan E U, et al. Vulnerability Prediction From Source Code Using Machine Learning. IEEE Access, 2020, 8: 150672–150684.
    [103] Li X, Qu Y, Yin H. PalmTree: Learning an Assembly Language Model for Instruction Embedding. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.
    [104] Hemel A, Kalleberg K T, Vermaas R, et al. Finding Software License Violations through Binary Code Clone Detection. Proceedings of the 8th Working Conference on Mining Software Repositories. New York, NY, USA: Association for Computing Machinery, 2011: 63–72.
    [105] Zhou W, Zhou Y, Jiang X, et al. Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. Proceedings of the Second ACM Conference on Data and Application Security and Privacy. New York, NY, USA: Association for Computing Machinery, 2012: 317–326.
    [106] Golubev Y, Eliseeva M, Povarov N, et al. A Study of Potential Code Borrowing and License Violations in Java Projects on GitHub. Proceedings of the 17th International Conference on Mining Software Repositories. New York, NY, USA: Association for Computing Machinery, 2020: 54–64.
    [107] Sajnani H, Saini V, Svajlenko J, et al. SourcererCC: Scaling Code Clone Detection to Big-Code. IEEE/ACM 38th International Conference on Software Engineering (ICSE), 2016.
    [108] Crussell J, Gibler C, Chen H. AnDarwin: Scalable Detection of Android Application Clones Based on Semantics. IEEE Transactions on Mobile Computing, 2015, 14(10): 2007–2019.
    [109] Gonzalez H, Stakhanova N, Ghorbani A A. DroidKin: Lightweight Detection of Android Apps Similarity. Tian J, Jing J, Srivatsa M, eds. International Conference on Security and Privacy in Communication Networks. Cham: Springer International Publishing, 2015: 436–453.
    [110] Akram J, Luo P. SQVDT: A Scalable Quantitative Vulnerability Detection Technique for Source Code Security Assessment. Software: Practice and Experience, 2021, 51(2): 294–318.
    [111] GitHub. A Git Horror Story: Repository Integrity With Signed Commits — Mike Gerwitz. https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits
    [112] Neelakantam S, Pant T. Version Control and Deploying Your Code on GitHub[M/OL]. Neelakantam S, Pant T, eds.//Learning Web-Based Virtual Reality: Build and Deploy Web-Based Virtual Reality Technology. Berkeley, CA: Apress, 2017: 69–79. https://doi.org/10.1007/978-1-4842-2710-7_8
    [113] tedhudek. Trusted Publishers Certificate Store - Windows Drivers. https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-publishers-certificate-store
    [114] Ullah F, Raft A, Shahin M, et al. Security Support in Continuous Deployment Pipeline.
    [115] Vasilakis N, Karel B, Roessler N, et al. BreakApp: Automated, Flexible Application Compartmentalization. Proceedings 2018 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2018.
    [116] Koishybayev I, Kapravelos A. Mininode: Reducing the Attack Surface of Node.Js Applications.
    [117] Nguyen D C, Derr E, Backes M, et al. Up2Dep: Android Tool Support to Fix Insecure Code Dependencies. Annual Computer Security Applications Conference. New York, NY, USA: Association for Computing Machinery, 2020: 263–276.
    [118] Bass L, Holz R, Rimba P, et al. Securing a Deployment Pipeline. 2015 IEEE/ACM 3rd International Workshop on Release Engineering.
    [119] Lamb C, Zacchiroli S. Reproducible Builds: Increasing the Integrity of Software Supply Chains. IEEE Software, 2021: 0–0.
    [120] CVSS. Common Vulnerability Scoring System SIG. https://www.first.org/cvss
    [121] Younis A A, Malaiya Y K, Ray I. Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability. 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering.
    [122] Plate H, Ponta S E, Sabetta A. Impact Assessment for Vulnerabilities in Open-Source Software Libraries. 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME).
    [123] Wu Q, He Y, McCamant S, et al. Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison. Proceedings 2020 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2020.
    [124] Zhang H, Qian Z. Precise and Accurate Patch Presence Test for Binaries. 27th USENIX Security Symposium (USENIX Security 18), 2018: 887–902.
    [125] Jiang Z, Zhang Y, Xu J, et al. PDiff: Semantic-Based Patch Presence Testing for Downstream Kernels. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2020: 1149–1163.
    [126] Dai J, Zhang Y, Jiang Z, et al. BScout: Direct Whole Patch Presence Test for Java Executables. 29th USENIX Security Symposium (USENIX Security 20), 2020: 1147–1164.
    [127] Chen Y, Zhang Y, Wang Z, et al. Adaptive Android Kernel Live Patching. 26th USENIX Security Symposium (USENIX Security 17), 2017: 1253–1270.
    [128] Duan R, Bijlani A, Ji Y, et al. Automating Patching of Vulnerable Open-Source Software Versions in Application Binarie.Proceedings 2019 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2019.
    [129] Wang X, Sun K, Batcheller A, et al. An Empirical Study of Secret Security Patch in Open Source Software. Jajodia S, Cybenko G, Subrahmanian V S, et al., eds.//Adaptive Autonomous Secure Cyber Systems. Cham: Springer International Publishing, 2020: 269–289. https://doi.org/10.1007/978-3-030-33432-1_13
    [130] Wang X, Sun K, Batcheller A, et al. Detecting “0-Day” Vulnerability: An Empirical Study of Secret Security Patch in OSS. 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2019.
    [131] Apple Developer. Distribute. https://developer.apple.com/distribute/
    [132] Android. Download Android Studio and SDK Tools. https://developer.android.com/studio
    [133] ProGuard. Java Obfuscator and Android App Optimizer. https://www.guardsquare.com/proguard
    [134] Song L, Tang Z, Li Z, et al. AppIS: Protect Android Apps Against Runtime Repackaging Attacks. IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS). Shenzhen: IEEE, 2017: 25–32.
    [135] Gregor F, Ozga W, Vaucher S, et al. Trust Management as a Service: Enabling Trusted Execution in the Face of Byzantine Stakeholders. 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2020.
    [136] Ozga W, Quoc D L, Fetzer C. A Practical Approach for Updating an Integrity-Enforced Operating System. Proceedings ofthe 21st International Middleware Conference. New York, NY, USA: Association for Computing Machinery, 2020: 311–325.
    [137] Samuel J, Mathewson N, Cappos J, et al. Survivable Key Compromise in Software Update Systems. Proceedings of the 17th ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2010: 61–72.
    [138] Brown F, Mirian A, Jaiswal A, et al. SPAM: A Secure Package Manager. USENIX HotSec 2017, 2017: 7.
    [139] Cappos J, Samuel J, Baker S, et al. Package Management Security.
    [140] Kuppusamy T K, Torres-Arias S, Diaz V, et al. Diplomat: Using Delegations to Protect Community Repositories. NSDI 2016, 2016: 16.
    [141] Kuppusamy T K, Diaz V, Cappos J. Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories. USENIX ATC 2017, 2017: 17.
    [142] Guarnizo J, Alangot B, Szalachowski P. SmartWitness: A Proactive Software Transparency System Using Smart Contracts. Proceedings of the 2nd ACM International Symposium on Blockchain and Secure Critical Infrastructure. Taipei Taiwan: ACM, 2020: 117–129.
    [143] Singi K, R P J C B, Podder S, et al. Trusted Software Supply Chain. 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019.
    [144] Nikitin K, Kokoris-Kogias E, Jovanovic P, et al. CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds.
    [145] Stengele O, Baumeister A, Birnstill P, et al. Access Control for Binary Integrity Protection Using Ethereum. Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. New York, NY, USA: Association for Computing Machinery, 2019: 3–12.
    [146] Boyens J M, Paulsen C, Moorthy R, et al. Supply Chain Risk Management Practices for Federal Information Systems and Organizations: NIST SP 800-161. National Institute of Standards and Technology, 2015: NIST SP 800-161. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf
    [147] Cooper D, Regenscheid A, Souppaya M, et al. Security Considerations for Code Signing: NIST CSWP 01262018[R/OL]. Gaithersburg, MD: National Institute of Standards and Technology, 2018: NIST CSWP 01262018. http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01262018.pdf
    [148] CISA. Defending Against Software Supply Chain Attacks. 2021. https://www.cisa.gov/publication/software-supply-chain-attacks
    [149] UK National Cyber Security Centre. Supply Chain Security Guidance. 2021. https://www.ncsc.gov.uk/collection/supply-chain-security
    [150] UK National Cyber Security Centre. Secure Development and Deployment Guidance. 2018. https://www.ncsc.gov.uk/collection/developers-collection
    [151] UK National Cyber Security Centre. Defending Software Build Pipelines from Malicious Attack. 2021. https://www.ncsc.gov.uk/blog-post/defending-software-build-pipelines-from-malicious-attack
    [152] National Security Science and Technology Evaluation Center. GB/T 36637-2018 Standard Interpretation. http://www.gjbmj.gov.cn/n1/2020/0115/c411145-31550085.html
    [153] Coughlan S. OpenChain 2.1 Is ISO/IEC 5230:2020, the International Standard for Open Source Compliance. 2021. https://www.openchainproject.org/featured/2020/12/15/openchain-2-1-is-iso5230
    [154] Clancy D C, Ferraro J, Martin R A, et al. Deliver Uncompromised: Securing Critical Software Supply Chains. 2021.
    [155] Microsoft Cybersecurity. Cyber Supply Chain Risk Management. 2011. https://www.microsoft.com/en-us/cybersecurity/content-hub/cyber-supply-chain-risk-management
    [156] Huawei. Huawei Released 2016 Cyber Security White Paper. 2016. https://www.huawei.com/cn/news/2016/6/2016-Cyber-Security-White-Paper
    相似文献
    引证文献
    引证文献 [0] 您输入的地址无效!
    没有找到您想要的资源,您输入的路径无效!

    网友评论
    网友评论
    分享到微博
    发 布
引用本文
分享
文章指标
  • 点击次数:1314
  • 下载次数: 0
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2021-08-23
  • 最后修改日期:2022-01-15
  • 录用日期:2022-06-05
文章二维码
您是第19608549位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号