10,948 research outputs found
The Hitchhiker's Guide to Malicious Third-Party Dependencies
The increasing popularity of certain programming languages has spurred the
creation of ecosystem-specific package repositories and package managers. Such
repositories (e.g., NPM, PyPI) serve as public databases that users can query
to retrieve packages for various functionalities, whereas package managers
automatically handle dependency resolution and package installation on the
client side. These mechanisms enhance software modularization and accelerate
implementation. However, they have become a target for malicious actors seeking
to propagate malware on a large scale.
In this work, we show how attackers can leverage capabilities of popular
package managers and languages to achieve arbitrary code execution on victim
machines, thereby realizing open-source software supply chain attacks. Based on
the analysis of 7 ecosystems, we identify 3 install-time and 5 runtime
techniques, and we provide recommendations describing how to reduce the risk
when consuming third-party dependencies. We will provide proof-of-concepts that
demonstrate the identified techniques. Furthermore, we describe evasion
strategies employed by attackers to circumvent detection mechanisms
Taxonomy of Attacks on Open-Source Software Supply Chains
The widespread dependency on open-source software makes it a fruitful target
for malicious actors, as demonstrated by recurring attacks. The complexity of
today's open-source supply chains results in a significant attack surface,
giving attackers numerous opportunities to reach the goal of injecting
malicious code into open-source artifacts that is then downloaded and executed
by victims.
This work proposes a general taxonomy for attacks on open-source supply
chains, independent of specific programming languages or ecosystems, and
covering all supply chain stages from code contributions to package
distribution. Taking the form of an attack tree, it covers 107 unique vectors,
linked to 94 real-world incidents, and mapped to 33 mitigating safeguards.
User surveys conducted with 17 domain experts and 134 software developers
positively validated the correctness, comprehensiveness and comprehensibility
of the taxonomy, as well as its suitability for various use-cases. Survey
participants also assessed the utility and costs of the identified safeguards,
and whether they are used
A Benchmark Comparison of Python Malware Detection Approaches
While attackers often distribute malware to victims via open-source,
community-driven package repositories, these repositories do not currently run
automated malware detection systems. In this work, we explore the security
goals of the repository administrators and the requirements for deployments of
such malware scanners via a case study of the Python ecosystem and PyPI
repository, which includes interviews with administrators and maintainers.
Further, we evaluate existing malware detection techniques for deployment in
this setting by creating a benchmark dataset and comparing several existing
tools, including the malware checks implemented in PyPI, Bandit4Mal, and
OSSGadget's OSS Detect Backdoor.
We find that repository administrators have exacting technical demands for
such malware detection tools. Specifically, they consider a false positive rate
of even 0.01% to be unacceptably high, given the large number of package
releases that might trigger false alerts. Measured tools have false positive
rates between 15% and 97%; increasing thresholds for detection rules to reduce
this rate renders the true positive rate useless. In some cases, these checks
emitted alerts more often for benign packages than malicious ones. However, we
also find a successful socio-technical malware detection system: external
security researchers also perform repository malware scans and report the
results to repository administrators. These parties face different incentives
and constraints on their time and tooling. We conclude with recommendations for
improving detection capabilities and strengthening the collaboration between
security researchers and software repository administrators.Comment: 12 pages, 3 figures, 3 table
Food defense practices of school districts in northern U.S. states
This study assessed implementation of food defense practices in public schools in Montana, Wyoming, South Dakota, North Dakota, Iowa, Minnesota, and Wisconsin. The first phase involved a qualitative multi-site case study: one-day visits were made to five school districts in the states of Iowa, South Dakota, Minnesota, and Wisconsin. A principal, district foodservice director (FSD), two food production workers, and an emergency responder at each site were interviewed about food defense awareness and risk perception. Meal production and service were observed for implementation of food defense practices. In Phase Two 543 school food authorities or FSDs (36% percent of the population from 1,501 districts in seven Midwestern states) responded to an Internet-administered survey. Survey items included frequency of implementation of 31 food defense best practices adapted from the work of Yoon and Shanklin (2007a) and Yoon (2007). The survey included ten items assessing risk perception using Slovic\u27s psychometric paradigm (1987). Items requested information about crisis management and food defense planning, food defense training, influence over districts\u27 security policies, as well as operational and demographic characteristics.
Four themes emerged from the 25 interviews conducted during the site visit: low awareness, lack of concern, food not considered a potential danger, and how conflicting priorities influence security. Food defense was an unfamiliar concept among most interviewees. Many expressed the belief that food tampering was not likely in their schools because employees were trustworthy or location was too insignificant. Principals expressed concern for physical security measures but did not perceive their contribution to food defense. In most districts, the FSD was not included in district emergency response planning activities and communication about food defense did not occur between principals, FSD, and emergency responders. Some of the interviewees had experience with food tampering incidents; seven incidents were reported, of which five had occurred in schools. Employees in a central kitchen facility were suspected in two of the school incidents, and three were perpetrated by students, indicating different sources of vulnerabilities.
Most (67.8%) survey respondents reported district enrollment \u3c2,500 students. Few (14.5%) had implemented a food defense plan; implementation was related to FSD involvement in crisis management planning and to FSD receiving food defense training. Thirteen practices were implemented most of the time (mean \u3e4.0 on 5-point scale with 5 = always); most of these within control of FSD. Six practices were implemented less frequently (mean \u3c3.0 on 5-point scale with 1 = never); three would require administrative action to implement, and two were related to FSD communication with emergency responders.
Mean values for unknown risk risk perception measures indicated some disagreement that intentional food contamination was a new risk for respondents and strong disagreement that they personally knew a lot about how terrorists could contaminate the food supply. The mean for the dread risk scale was 1.93 on a 4-point scale with 4 = high, similar to perceived risk of common everyday activities reported by Lee, LeMyre, and Krewski (2010). Compared to district administrators, FSDs perceived significantly greater personal control over both terrorism and food tampering risks
- …