Ossintegrity: Collaborative Open Source Code Integrity Verification

28 Pages Posted: 31 Jan 2024

See all articles by Mor Nahum

Mor Nahum

Ben-Gurion University of the Negev

Edita Grolman

Ben-Gurion University of the Negev

Inbar Maimon

Ben-Gurion University of the Negev

Dudu Mimran

Ben-Gurion University of the Negev

Aviad Elyashar

Ben-Gurion University of the Negev

Oleg Brodt

Ben-Gurion University of the Negev

Yuval Elovici

Ben-Gurion University of the Negev

Asaf Shabtai

Ben-Gurion University of the Negev

Abstract

Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries that the target is using. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not appear in the general OSS repositories, they tend to go under the radar for a long period of time allowing an attacker to gain access to sensitive data or systems.In this paper, we propose (SC)^2V -- secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. (SC)^2V is aimed at preventing targeted supply chain attacks and is integrated with the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. (SC)^2V involves both users (developers seeking to verify an OSS library) and verifiers contributing to the collaborative verification effort. (SC)^2V considers a library as verified and safe when a consensus is reached among verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 seconds to issue an alert against the attacks.

Keywords: supply chain, Open Source, Code Verification, Crowdsource, Targeted attack

Suggested Citation

Nahum, Mor and Grolman, Edita and Maimon, Inbar and Mimran, Dudu and Elyashar, Aviad and Brodt, Oleg and Elovici, Yuval and Shabtai, Asaf, Ossintegrity: Collaborative Open Source Code Integrity Verification. Available at SSRN: https://ssrn.com/abstract=4711134 or http://dx.doi.org/10.2139/ssrn.4711134

Mor Nahum

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Edita Grolman

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Inbar Maimon

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Dudu Mimran

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Aviad Elyashar

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Oleg Brodt

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Yuval Elovici

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Asaf Shabtai (Contact Author)

Ben-Gurion University of the Negev ( email )

1 Ben-Gurion Blvd
Beer-Sheba 84105, 84105
Israel

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
27
Abstract Views
83
PlumX Metrics