The Hitchhiker's Guide to Malicious Third-Party Dependencies

The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., NPM, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, whereas package managers automatically handle dependency resolution and package installation on the client side. These mechanisms enhance software modularization and accelerate implementation. However, they have become a target for malicious actors seeking to propagate malware on a large scale. In this work, we show how attackers can leverage capabilities of popular package managers and languages to achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain attacks. Based on the analysis of 7 ecosystems, we identify 3 install-time and 5 runtime techniques, and we provide recommendations describing how to reduce the risk when consuming third-party dependencies. We will provide proof-of-concepts that demonstrate the identified techniques. Furthermore, we describe evasion strategies employed by attackers to circumvent detection mechanisms

Taxonomy of Attacks on Open-Source Software Supply Chains

The widespread dependency on open-source software makes it a fruitful target for malicious actors, as demonstrated by recurring attacks. The complexity of today's open-source supply chains results in a significant attack surface, giving attackers numerous opportunities to reach the goal of injecting malicious code into open-source artifacts that is then downloaded and executed by victims. This work proposes a general taxonomy for attacks on open-source supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution. Taking the form of an attack tree, it covers 107 unique vectors, linked to 94 real-world incidents, and mapped to 33 mitigating safeguards. User surveys conducted with 17 domain experts and 134 software developers positively validated the correctness, comprehensiveness and comprehensibility of the taxonomy, as well as its suitability for various use-cases. Survey participants also assessed the utility and costs of the identified safeguards, and whether they are used

A Benchmark Comparison of Python Malware Detection Approaches

While attackers often distribute malware to victims via open-source, community-driven package repositories, these repositories do not currently run automated malware detection systems. In this work, we explore the security goals of the repository administrators and the requirements for deployments of such malware scanners via a case study of the Python ecosystem and PyPI repository, which includes interviews with administrators and maintainers. Further, we evaluate existing malware detection techniques for deployment in this setting by creating a benchmark dataset and comparing several existing tools, including the malware checks implemented in PyPI, Bandit4Mal, and OSSGadget's OSS Detect Backdoor. We find that repository administrators have exacting technical demands for such malware detection tools. Specifically, they consider a false positive rate of even 0.01% to be unacceptably high, given the large number of package releases that might trigger false alerts. Measured tools have false positive rates between 15% and 97%; increasing thresholds for detection rules to reduce this rate renders the true positive rate useless. In some cases, these checks emitted alerts more often for benign packages than malicious ones. However, we also find a successful socio-technical malware detection system: external security researchers also perform repository malware scans and report the results to repository administrators. These parties face different incentives and constraints on their time and tooling. We conclude with recommendations for improving detection capabilities and strengthening the collaboration between security researchers and software repository administrators.Comment: 12 pages, 3 figures, 3 table

Food defense practices of school districts in northern U.S. states

This study assessed implementation of food defense practices in public schools in Montana, Wyoming, South Dakota, North Dakota, Iowa, Minnesota, and Wisconsin. The first phase involved a qualitative multi-site case study: one-day visits were made to five school districts in the states of Iowa, South Dakota, Minnesota, and Wisconsin. A principal, district foodservice director (FSD), two food production workers, and an emergency responder at each site were interviewed about food defense awareness and risk perception. Meal production and service were observed for implementation of food defense practices. In Phase Two 543 school food authorities or FSDs (36% percent of the population from 1,501 districts in seven Midwestern states) responded to an Internet-administered survey. Survey items included frequency of implementation of 31 food defense best practices adapted from the work of Yoon and Shanklin (2007a) and Yoon (2007). The survey included ten items assessing risk perception using Slovic\u27s psychometric paradigm (1987). Items requested information about crisis management and food defense planning, food defense training, influence over districts\u27 security policies, as well as operational and demographic characteristics. Four themes emerged from the 25 interviews conducted during the site visit: low awareness, lack of concern, food not considered a potential danger, and how conflicting priorities influence security. Food defense was an unfamiliar concept among most interviewees. Many expressed the belief that food tampering was not likely in their schools because employees were trustworthy or location was too insignificant. Principals expressed concern for physical security measures but did not perceive their contribution to food defense. In most districts, the FSD was not included in district emergency response planning activities and communication about food defense did not occur between principals, FSD, and emergency responders. Some of the interviewees had experience with food tampering incidents; seven incidents were reported, of which five had occurred in schools. Employees in a central kitchen facility were suspected in two of the school incidents, and three were perpetrated by students, indicating different sources of vulnerabilities. Most (67.8%) survey respondents reported district enrollment \u3c2,500 students. Few (14.5%) had implemented a food defense plan; implementation was related to FSD involvement in crisis management planning and to FSD receiving food defense training. Thirteen practices were implemented most of the time (mean \u3e4.0 on 5-point scale with 5 = always); most of these within control of FSD. Six practices were implemented less frequently (mean \u3c3.0 on 5-point scale with 1 = never); three would require administrative action to implement, and two were related to FSD communication with emergency responders. Mean values for unknown risk risk perception measures indicated some disagreement that intentional food contamination was a new risk for respondents and strong disagreement that they personally knew a lot about how terrorists could contaminate the food supply. The mean for the dread risk scale was 1.93 on a 4-point scale with 4 = high, similar to perceived risk of common everyday activities reported by Lee, LeMyre, and Krewski (2010). Compared to district administrators, FSDs perceived significantly greater personal control over both terrorism and food tampering risks