Ossintegrity: Collaborative Open Source Code Integrity Verification
28 Pages Posted: 31 Jan 2024
Abstract
Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries that the target is using. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not appear in the general OSS repositories, they tend to go under the radar for a long period of time allowing an attacker to gain access to sensitive data or systems.In this paper, we propose (SC)^2V -- secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. (SC)^2V is aimed at preventing targeted supply chain attacks and is integrated with the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. (SC)^2V involves both users (developers seeking to verify an OSS library) and verifiers contributing to the collaborative verification effort. (SC)^2V considers a library as verified and safe when a consensus is reached among verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 seconds to issue an alert against the attacks.
Keywords: supply chain, Open Source, Code Verification, Crowdsource, Targeted attack
Suggested Citation: Suggested Citation