research-article

Artemis: Defanging Software Supply Chain Attacks in Multi-repository Update Systems

Authors:

Trishank Karthik Kuppusamy,

Justin CapposAuthors Info & Claims

ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference

Pages 83 - 97

https://doi.org/10.1145/3627106.3627129

Published: 04 December 2023 Publication History

Abstract

Modern software installation tools often use packages from more than one repository, presenting a unique set of security challenges. Such a configuration increases the risk of repository compromise and introduces attacks like dependency confusion and repository fallback. In this paper, we offer the first exploration of attacks that specifically target multiple repository update systems, and propose a unique defensive strategy we call articulated trust. Articulated trust is a principle that allows software installation tools to specify trusted developers and repositories for each package. To implement articulated trust, we built Artemis, a framework that introduces several new security techniques, such as per-package prioritization of repositories, multi-role delegations, multiple-repository consensus, and key pinning. These techniques allow for a greater diversity of trust relationships while eliminating the security risk of single points of failure.

To evaluate Artemis, we examine attacks on software update systems from the Cloud Native Computing Foundation’s Catalog of Supply Chain Compromises, and find that the most secure configuration of Artemis can prevent all of them, compared to 14-59% for the best existing system. We also cite real-world deployments of Artemis that highlight its practicality. These include the JDF/Linux Foundation Uptane Standard that secures over-the-air updates for millions of automobiles, and TUF, which is used by many companies for secure software distribution.

References

[1]

Martín Abadi, Michael Burrows, Butler Lampson, and Gordon Plotkin. 1993. A Calculus for Access Control in Distributed Systems. ACM Trans. Program. Lang. Syst. 15, 4 (Sept. 1993), 706–734. https://doi.org/10.1145/155183.155225

Digital Library

[2]

Juan Aguirre. 2021. NPM Hijackers at It Again: Popular ‘coa’ and ‘rc’ Open Source Libraries Taken Over to Spread Malware. https://blog.sonatype.com/npm-hijackers-at-it-again-popular-coa-and-rc-open-source-libraries-taken-over-to-spread-malware. sonatype blog (2021).

[3]

Apache Infrastructure Team. 2009. apache.org incident report for 8/28/2009. https://blogs.apache.org/infra/entry/apache_org_downtime_report.

[4]

Apache Infrastructure Team. 2010. apache.org incident report for 04/09/2010. https://blogs.apache.org/infra/entry/apache_org_04_09_2010.

[5]

apt 2021. add-apt-repository.

[6]

ArchWiki. 2022. Official Repositories. https://wiki.archlinux.org/title/Official_repositories.

[7]

Argon. [n. d.]. 2021 Software Supply Chain Security Report. Technical Report. Argon: An Aqua Company. https://info.aquasec.com/argon-supply-chain-attacks-study

[8]

Brad Arkin. 2012. Adobe to Revoke Code Signing Certificate. https://blogs.adobe.com/conversations/2012/09/adobe-to-revoke-code-signing-certificate.html.

[9]

Pierre-Louis Aublin, Sonia Ben Mokhtar, and Vivien Quéma. 2013. RBFT: Redundant Byzantine Fault Tolerance. In Proceedings of the 2013 IEEE 33rd International Conference on Distributed Computing Systems(ICDCS ’13). IEEE Computer Society, USA, 297–306. https://doi.org/10.1109/ICDCS.2013.53

Digital Library

[10]

Ezedin Barka and Ravi S. 2000. A Role-Based Delegation Model and Some Extensions. Proceedings of the 23rd National Conference on Information Systems Security (12 2000).

[11]

Ezedin Barka and Ravi Sandhu. 2005. Role-Based Delegation Model/Hierarchical Roles (RBDM1). Proceedings - Annual Computer Security Applications Conference, ACSAC, 396– 404. https://doi.org/10.1109/CSAC.2004.31

Digital Library

[12]

Mihir Bellare and Gregory Neven. 2006. Multi-Signatures in the Plain Public-Key Model and a General Forking Lemma. In Proceedings of the 13th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS ’06). Association for Computing Machinery, New York, NY, USA, 390–399. https://doi.org/10.1145/1180405.1180453

Digital Library

[13]

Mihir Bellare and Gregory Neven. 2006. Multi-Signatures in the Plain Public-Key Model and a General Forking Lemma. In Proceedings of the 13th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS ’06). Association for Computing Machinery, New York, NY, USA, 390–399. https://doi.org/10.1145/1180405.1180453

Digital Library

[14]

Anthony Bellissimo, John Burgess, and Kevin Fu. 2006. Secure software updates: disappointments and new challenges. Proceedings of USENIX Hot Topics in Security (HotSec) (2006).

Digital Library

[15]

bottlerocket 2019. Bottlerocket update infrastructure. https://github.com/bottlerocket-os/bottlerocket/tree/develop/sources/updater.

[16]

Daniel Burrows. 2005. Modelling and resolving software dependencies. https://people.debian.org/ dburrows/model.pdf.

[17]

Justin Cappos, Scott Baker, Jeremy Plichta, Duy Nyugen, Jason Hardies, Matt Borgard, Jeffry Johnston, and John H Hartman. 2007. Stork: package management for distributed VM environments. In The 21st Large Installation System Administration Conference, LISA’07.

[18]

Justin Cappos, Trishank Karthik Kuppusamy, Joshua Lock, Marina Moore, and Lukas Pühringer. 2022. The Update Framework Specification. Specification. https://theupdateframework.github.io/specification/latest/

[19]

Justin Cappos, Justin Samuel, Scott Baker, and John H Hartman. 2008. A look in the mirror: Attacks on package managers. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 565–574.

Digital Library

[20]

Justin Cappos, Justin Samuel, Scott Baker, and John H Hartman. 2008. Package management security. University of Arizona Technical Report (2008), 08–02.

[21]

Justin Capppos. 2008. Stork: Secure Package Management for VM Environments. Dissertation. University of Arizona.

Digital Library

[22]

Miguel Castro and Barbara Liskov. 1999. Practical Byzantine Fault Tolerance. In Proceedings of the Third Symposium on Operating Systems Design and Implementation (New Orleans, Louisiana, USA) (OSDI ’99). USENIX Association, Berkeley, CA, USA, 173–186. http://dl.acm.org/citation.cfm?id=296806.296824

Digital Library

[23]

Information Technology Laboratory Computer Security Resource Center. 2021. Software Identification (SWID)Tagging. Technical Report. National Institute of Standards and Technology.

[24]

Coppens, Bart and De Sutter, Bjorn and De Bosschere, Koen. 2013. Protecting your software updates. IEEE SECURITY & PRIVACY 11, 2 (2013), 47–54. http://dx.doi.org/10.1109/MSP.2012.113

Digital Library

[25]

Jonathan Corbet. 2011. The cracking of kernel.org. http://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernelorg.

[26]

CoreOS, Inc.[n. d.]. Quay Container Registry. https://quay.io/.

[27]

Debian. 2003. Debian Investigation Report after Server Compromises. https://www.debian.org/News/2003/20031202.

[28]

Debian. 2012. Security breach on the Debian wiki 2012-07-25. https://wiki.debian.org/DebianWiki/SecurityIncident2012.

[29]

Yvo Desmedt. 1987. Society and Group Oriented Cryptography: A New Concept. In A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology(CRYPTO ’87). Springer-Verlag, Berlin, Heidelberg, 120–127.

[30]

Docker Inc.[n. d.]. Docker Hub. https://hub.docker.com/.

[31]

OWASP Foundation. 2021. CycloneDx. https://cyclonedx.org/.

[32]

Paul W. Frields. 2008. Infrastructure report, 2008-08-22 UTC 1200. https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html.

[33]

Fuschia. 2021. Software Update System. Technical Report.

[34]

Dan Geer, Bentz Tozer, and John Speed Meyers. 2020. For Good Measure: Counting Broken Links: A Quant’s View of Software Supply Chain Security. login Usenix Mag. 45 (2020).

[35]

Rosario Gennaro and Steven Goldfeder. 2018. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). Association for Computing Machinery, New York, NY, USA, 1179–1194. https://doi.org/10.1145/3243734.3243859

Digital Library

[36]

Adrien Ghosn, Marios Kogias, Mathias Payer, James R. Larus, and Edouard Bugnion. 2021. Enclosure: Language-Based Restriction of Untrusted Libraries. In Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (Virtual, USA) (ASPLOS ’21). Association for Computing Machinery, New York, NY, USA, 255–267. https://doi.org/10.1145/3445814.3446728

Digital Library

[37]

GitHub, Inc.2012. Public Key Security Vulnerability and Mitigation. https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation.

[38]

GNU Savannah. 2010. Compromise2010. https://savannah.gnu.org/maintenance/Compromise2010/.

[39]

Dan Goodin. 2013. Attackers sign malware using crypto certificate stolen from Opera Software. http://arstechnica.com/security/2013/06/attackers-sign-malware-using-crypto-certificate-stolen-from-opera-software/.

[40]

Benjamin N Grosof. 1997. Prioritized Conflict Handling for Logic Programs. In ILPS, Vol. 97. 197–211.

[41]

Xueyuan Han, Xiao Yu, Thomas Pasquier, Ding Li, Junghwan Rhee, James Mickens, Margo Seltzer, and Haifeng Chen. 2021. SIGL: Securing Software Installations Through Deep Graph Learning. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2345–2362. https://www.usenix.org/conference/usenixsecurity21/presentation/han-xueyuan

[42]

M. P. Herlihy and J. M. Wing. 1987. Axioms for Concurrent Objects. In Proceedings of the 14th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (Munich, West Germany) (POPL ’87). ACM, New York, NY, USA, 13–26. https://doi.org/10.1145/41625.41627

Digital Library

[43]

in-toto 2022. in-toto - A framework to secure the integrity of software supply chains. https://in-toto.io/.

[44]

Internet Security Research Group (ISRG).2021. Let’s Encrypt Stats. https://letsencrypt.org/stats/.

[45]

K ITAKURA, K; NAKAMURA. 1983. A public-key cryptosystem suitable for digital multisignatures. NEC research & development (1983).

[46]

Joint Development Foundation Projects, LLC, Uptane Series. 2020. Adoptions. https://uptane.github.io/adoptions.html.

[47]

Jeffrey Knockel and Jedidiah R Crandall. 2012. Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software: We’re FOCI’d. In Presented as part of the 2nd USENIX Workshop on Free and Open Communications on the Internet (Bellevue, WA). USENIX, Berkeley, CA. https://www.usenix.org/conference/foci12/protecting-free-and-open-communications-internet-against-man-middle-attacks-third

[48]

Kubernetes. 2018. Case Study: IBM Building an Image Trust Service on Kubernetes with Notary and TUF. https://v1-18.docs.kubernetes.io/case-studies/ibm/.

[49]

Trishank Karthik Kuppusamy. 2019. Secure Publication of Datadog Agent Integrations with TUF and in-toto. https://www.datadoghq.com/blog/engineering/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto/.

[50]

Trishank Karthik Kuppusamy, Vladimir Diaz, and Justin Cappos. 2017. Mercury: Bandwidth-Effective Prevention of Rollback Attacks against Community Repositories. In USENIX ATC ’17 (Santa Clara, CA, USA). USENIX Association, USA, 673–688.

[51]

Trishank Karthik Kuppusamy, Vladimir Diaz, Donald Stufft, and Justin Cappos. 2013. PEP 458 – Securing the Link from PyPI to the End User. https://www.python.org/dev/peps/pep-0458/.

[52]

Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. [n. d.]. Diplomat: Using Delegations to Protect Community Repositories. Technical Report TR-CSE-2016-01. Computer Science and Engineering, Tandon School of Engineering, New York University. http://isis.poly.edu/ jcappos/papers/TR-CSE-2016-01.pdf

[53]

Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016. Diplomat: Using Delegations to Protect Community Repositories. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16). USENIX Association, Santa Clara, CA, 567–581. https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy

[54]

P. Ladisa, H. Plate, M. Martinez, and O. Barais. 2023. SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 1509–1526. https://doi.org/10.1109/SP46215.2023.00010

[55]

Butler Lampson, Martín Abadi, Michael Burrows, and Edward Wobber. 1992. Authentication in Distributed Systems: Theory and Practice. ACM Trans. Comput. Syst. 10, 4 (Nov. 1992), 265–310. https://doi.org/10.1145/138873.138874

Digital Library

[56]

Butler Lampson, Martín Abadi, Michael Burrows, and Edward Wobber. 1992. Authentication in Distributed Systems: Theory and Practice. ACM Trans. Comput. Syst. 10, 4 (Nov. 1992), 265–310. https://doi.org/10.1145/138873.138874

Digital Library

[57]

Duc Phong Le, Alexis Bonnecaze, and Alban Gabillon. 2009. Multisignatures as Secure as the Diffie-Hellman Problem in the Plain Public-Key Model. Lecture Notes in Computer Science 5671 (08 2009), 35–51. https://doi.org/10.1007/978-3-642-03298-1_3

Digital Library

[58]

Jinyuan Li, Maxwell Krohn, David Mazières, and Dennis Shasha. 2004. Secure untrusted data repository (SUNDR). In Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation - Volume 6 (San Francisco, CA) (OSDI’04). USENIX Association, Berkeley, CA, USA, 9–9. http://dl.acm.org/citation.cfm?id=1251254.1251263

Digital Library

[59]

Jinyuan Li and David Maziéres. 2007. Beyond One-third Faulty Replicas in Byzantine Fault Tolerant Systems. In Proceedings of the 4th USENIX Conference on Networked Systems Design and Implementation (Cambridge, MA) (NSDI’07). USENIX Association, Berkeley, CA, USA, 10–10. http://dl.acm.org/citation.cfm?id=1973430.1973440

Digital Library

[60]

Jun Li, P.L. Reiher, and Gerald J. Popek. 2004. Resilient self-organizing overlay networks for security update delivery. Selected Areas in Communications, IEEE Journal on 22, 1 (2004), 189–202. https://doi.org/10.1109/JSAC.2003.818808

Digital Library

[61]

Ninghui Li. 2000. Delegation Logic: A Logic-based Approach to Distributed Authorization. Ph. D. Dissertation. New York University.

[62]

Ninghui Li, Joan Feigenbaum, and Benjamin Grosof. 1999. A Logic-based Knowledge Representation for Authorization with Delegation. PCSFW: Proc. 12th Computer Security Foundations Workshop, 162 – 174. https://doi.org/10.1109/CSFW.1999.779771

[63]

Ninghui Li, Joan Feigenbaum, and Benjamin N Grosof. 1999. A logic-based knowledge representation for authorization with delegation. In Computer Security Foundations Workshop, 1999. Proceedings of the 12th IEEE. IEEE, 162–174.

[64]

Ninghui Li, Benjamin N. Grosof, and Joan Feigenbaum. 2000. A Nonmonotonic Delegation Logic with Prioritized Conflict Handling. https://www.cs.purdue.edu/homes/ninghui/papers/old/d2lp.pdf.

[65]

Ninghui Li, Benjamin N. Grosof, and Joan Feigenbaum. 2000. A Nonmonotonic Delegation Logic with Prioritized Conflict Handling. https://www.cs.purdue.edu/homes/ninghui/papers/old/d2lp.pdf.

[66]

Hannes Magnusson. 2010. The PHP project and Code Review. http://bjori.blogspot.com/2010/12/php-project-and-code-review.html.

[67]

Silvio Micali, Kazuo Ohta, and Leonid Reyzin. 2001. Accountable-Subgroup Multisignatures: Extended Abstract(CCS ’01). Association for Computing Machinery, New York, NY, USA, 245–254. https://doi.org/10.1145/501983.502017

Digital Library

[68]

Microsoft, Inc.2012. Flame malware collision attack explained. http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx.

[69]

Matt Mullenweg. 2011. Passwords Reset. https://wordpress.org/news/2011/06/passwords-reset/.

[70]

npm, Inc.[n. d.]. npm. https://www.npmjs.com/.

[71]

Jarrod Overson. 2019. How Two Malicious NPM Packages Targeted & Sabotaged Others. https://jsoverson.medium.com/how-two-malicious-npm-packages-targeted-sabotaged-one-other-fed7199099c8.

[72]

pacman 2021. pacman.conf.

[73]

pear 2022. When PHP Went Pear Shaped- The PHP PEAR Compromise. https://blog.cpanel.com/when-php-went-pear-shaped-the-php-pear-compromise/.

[74]

Python Software Foundation. [n. d.]. PyPI - the Python Package Index: Python Package Index. https://pypi.python.org/pypi.

[75]

Red Hat, Inc.2008. Infrastructure report, 2008-08-22 UTC 1200. https://rhn.redhat.com/errata/RHSA-2008-0855.html.

[76]

Redacted. [n. d.]. Redacted for anonymous submission.

[77]

Thomas Ristenpart and Scott Yilek. 2007. The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks(EUROCRYPT ’07). Springer-Verlag, Berlin, Heidelberg, 228–245. https://doi.org/10.1007/978-3-540-72540-4_13

Digital Library

[78]

RubyGems.org. 2013. Data Verification. http://blog.rubygems.org/2013/01/31/data-verification.html.

[79]

Ravi S, Edward J Sandhu, Hal L Feinstein Coyne, and Charles E. Youman. 1996. Role Based Access Control Models. In Computer. 38–47.

[80]

Justin Samuel, Nick Mathewson, Justin Cappos, and Roger Dingledine. 2010. Survivable key compromise in software update systems. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 61–72.

Digital Library

[81]

James Sanders. 2019. Malicious libraries in package repositories reveal a fundamental security flaw. https://www.techrepublic.com/article/malicious-libraries-in-package-repositories-reveal-a-fundamental-security-flaw/.

[82]

Ravi S Sandhu. 1998. Role-based access control. Advances in computers 46 (1998), 237–286.

[83]

Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. 1996. Role-based access control models. Computer 29, 2 (1996), 38–47.

Digital Library

[84]

Fred B. Schneider. 1990. Implementing Fault-tolerant Services Using the State Machine Approach: A Tutorial. ACM Comput. Surv. 22, 4 (Dec. 1990), 299–319. https://doi.org/10.1145/98163.98167

Digital Library

[85]

CNCF TAG Security. 2021. Catalog of Supply Chain Compromises. https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises.

[86]

Adi Shamir. 1979. How to Share a Secret. Commun. ACM 22, 11 (nov 1979), 612–613. https://doi.org/10.1145/359168.359176

Digital Library

[87]

Ax Sharma. 2021. Newly Found npm Malware Mines Cryptocurrency on Windows, Linux, macOS Devices. https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices. sonatype blog (2021).

[88]

Ax Sharma. 2021. Researcher hacks over 35 tech firms in novel supply chain attack. https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/.

[89]

Victor Shoup. 2000. Practical Threshold Signatures. In Advances in Cryptology — EUROCRYPT 2000, Bart Preneel (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 207–220.

[90]

Sigstore. 2021. A new standard for signing, verifying and protecting software. https://www.sigstore.dev/.

[91]

Slashdot Media. 2012. phpMyAdmin corrupted copy on Korean mirror server. https://sourceforge.net/blog/phpmyadmin-back-door/.

[92]

Jared K. Smith. 2011. Security incident on Fedora infrastructure on 23 Jan 2011. https://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html.

[93]

Snyk. 2022. CVE-2022-23812. https://nvd.nist.gov/vuln/detail/CVE-2022-23812.

[94]

socket 2022. Socket - Secure your JavaScript Supply Chain. https://socket.dev/.

[95]

SuperOleg39. 2021. Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js. https://github.com/faisalman/ua-parser-js/issues/536.

[96]

Liran Tal and Assaf Ben Josef. 2022. Open source maintainer pulls the plug on npm packages colors and faker, now what?https://snyk.io/blog/open-source-npm-packages-colors-faker/. snyk blog (2022).

[97]

National Telecommunications and Information Administration. 2021. Software Bill of Materials. https://www.ntia.gov/SBOM.

[98]

The FreeBSD Project. 2012. FreeBSD.org intrusion announced November 17th 2012. http://www.freebsd.org/news/2012-compromise.html.

[99]

The PHP Group. 2011. php.net security notice. http://www.php.net/archive/2011.php#id2011-03-19-1.

[100]

The PHP Group. 2013. A further update on php.net. http://php.net/archive/2013.php#id2013-10-24-2.

[101]

S Torres-Arias, H Nanize, T Kuppusamy, R Curtmola, and J Cappos. 2019. in-toto: providing farm-to-table security properties for bits and bytes. In 28th USENIX Security Symposium(USENIX Sec’19).

[102]

Ubuntu 2018. Ubuntu Sources List Generator. https://repogen.simplylinux.ch/index.php.

[103]

Laurie Voss. 2014. Newly Paranoid Maintainers. http://blog.npmjs.org/post/80277229932/newly-paranoid-maintainers.

[104]

Warehouse. 2022. BigQuery Datasets. https://warehouse.pypa.io/api-reference/bigquery-datasets.html.

[105]

Paul Wood, Christopher Gutierrez, and Saurabh Bagchi. 2015. Denial of Service Elusion (DoSE): Keeping Clients Connected for Less. In 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS). 94–103. https://doi.org/10.1109/SRDS.2015.31

Digital Library

[106]

SPDX Workgroup. 2021. The Software Package Data Exchange. Technical Report. The Linux Foundation.

Cited By

Williams LBenedetti GHamer SParamitha RRahman ITamanna MTystahl GZahan NMorrison PAcar YCukier MKästner CKapravelos AWermke DEnck W(undefined)Research Directions in Software Supply Chain SecurityACM Transactions on Software Engineering and Methodology10.1145/3714464
https://dl.acm.org/doi/10.1145/3714464

Index Terms

Artemis: Defanging Software Supply Chain Attacks in Multi-repository Update Systems

Index terms have been assigned to the content through auto-classification.

Recommendations

Towards Using Source Code Repositories to Identify Software Supply Chain Attacks
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems, makes them an attractive target for software supply chain attacks. By injecting malicious code into legitimate packages, attackers were known to gain more than 100,...
On the Feasibility of Detecting Software Supply Chain Attacks
MILCOM 2021 - 2021 IEEE Military Communications Conference (MILCOM)
The Supply chain attack is the stealthy and sophisticated cyberattack that aims to compromise a target by exploiting weaknesses and vulnerabilities in its supply chain. Recent supply chain attacks (e.g., SolarWinds attack) have compromised some of the ...
Reengineering of Legacy Systems into Supply Chain Systems: Traditional Data Oriented versus Process Oriented Approaches

The paper presents data oriented and process oriented models of legacy systems. It discusses the details of systems development and evolution models mainly aiming at an ongoing reengineering of legacy systems into supply chain systems. It proposes few ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference

December 2023

836 pages

ISBN:9798400708862

DOI:10.1145/3627106

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 December 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

NSF Grants
DHS

Conference

ACSAC '23

ACSAC '23: Annual Computer Security Applications Conference

December 4 - 8, 2023

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
188
Total Downloads

Downloads (Last 12 months)141
Downloads (Last 6 weeks)15

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Williams LBenedetti GHamer SParamitha RRahman ITamanna MTystahl GZahan NMorrison PAcar YCukier MKästner CKapravelos AWermke DEnck W(undefined)Research Directions in Software Supply Chain SecurityACM Transactions on Software Engineering and Methodology10.1145/3714464
https://dl.acm.org/doi/10.1145/3714464

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten