SaTC: CORE: Small: Trustworthy Dependency Management

SaTC：核心：小型：值得信赖的依赖管理

• 批准号: 1717022
• 负责人: Christian Kastner
• 金额: $ 49.99万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-08-01 至 2021-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1717022&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Trustworthy; Dependency

Software development increasingly relies on reusing platforms, libraries, and frameworks developed independently by third parties with little coordination, which provides significant value to participants through reuse. A security threat that has received relatively little attention is attacks through malicious package updates, which are particularly threatening in platforms with many frequently updating package dependencies, such as Node.js. The burden of reviewing all updates of all dependencies for security issues is too high for most developers. In this setting, automated solutions will reduce the attack surface, guide manual effort, and as a result, allow developers to trust packages and their updates with low enough effort to make it practical.This research will raise awareness of the problem and develop tools to significantly reduce risks and costs associated with dependency management. It will develop both heuristic and sound approaches to increase trust in package updates. It will focus on Javascript packages on the widely used package manager npm. Heuristic approaches will guide the attention of human reviewers toward suspicious updates. A permission model will establish trust of many, especially small and simple, packages. The work will significantly reduce the attack surface and restrict exploits through malicious package updates. The increased trust in package managers and corresponding lower risks and costs will  benefit not only professional developers, but also scientists, hobbyists, and end-user programmers that often have less experience with computer security and can be an easy target for attackers.

软件开发越来越依赖于重用第三方独立开发的平台、库和框架，而这些第三方之间的协调很少，这通过重用为参与者提供了巨大的价值。 相对较少受到关注的安全威胁是通过恶意包更新进行的攻击，这种攻击的威胁尤其大。在具有许多频繁更新包依赖项的平台中，例如 Node.js，对于大多数开发人员来说，检查所有依赖项的所有更新是否存在安全问题的负担太大，在这种情况下，自动化解决方案将减少攻击面，引导手动工作。因此，开发人员允许信任包这项研究将提高人们对这个问题的认识，并开发工具来显着降低与依赖管理相关的风险和成本。它将开发启发式和合理的方法来增加对软件包更新的信任。重点关注广泛使用的包管理器 npm 上的 Javascript 包。 启发式方法将引导人工审查者对可疑更新的注意力，从而建立对许多包（尤其是小型包和简单包）的信任。限制通过恶意软件包更新进行的攻击。对包管理器的信任以及相应的较低风险和成本不仅有利于专业开发人员，而且有利于科学家、业余爱好者和最终用户程序员，他们通常在计算机安全方面经验较少，很容易成为攻击者的目标。

项目成果

Detecting Suspicious Package Updates

检测可疑的软件包更新

• DOI: 10.1109/icse-nier.2019.00012
• 发表时间: 2019-01
• 期刊: Proceedings of the Proc. International Conference on Software Engineering -- New Ideas Track (ICSE-NIER
• 作者: Garret, Kalil;Ferreira, Gabriel;Jia, Limin;Sunshine, Joshua;Kaestner, Christian
• 通讯作者: Kaestner, Christian

Containing Malicious Package Updates in npm with a Lightweight Permission System

使用轻量级权限系统在 npm 中包含恶意软件包更新

• DOI: 10.1109/icse43902.2021.00121
• 发表时间: 2021-03-08
• 期刊: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)
• 作者: G. Ferreira;Limin Jia;Joshua Sunshine;Christian Kästner
• 通讯作者: Christian Kästner