• Corpus ID: 71145717

Security Issues in Language-based Sofware Ecosystems

  title={Security Issues in Language-based Sofware Ecosystems},
  author={Ruturaj K. Vaidya and Lorenzo De Carli and Drew Davidson and Vaibhav Rastogi},
Language-based ecosystems (LBE), i.e., software ecosystems based on a single programming language, are very common. Examples include the npm ecosystem for JavaScript, and PyPI for Python. These environments encourage code reuse between packages, and incorporate utilities - package managers - for automatically resolving dependencies. However, the same aspects that make these systems popular - ease of publishing code and importing external code - also create novel security issues, which have so… 

Figures and Tables from this paper

Wolf at the Door: Preventing Install-Time Attacks in npm with Latch

Evaluated Latch policies on all publicly available npm packages and on a number of real-world attack packages demonstrates that the approach is effective in identifying and stopping unwanted behavior while minimizing disruption due to undesired alerts.

What the Fork? Finding Hidden Code Clones in npm

UNWRAP-PER is proposed, a mechanism to programmatically detect shrinkwrapped clones and match them to their source package, which uses a package difference metric based on directory tree similarity, augmented with a prefilter which quickly weeds out packages unlikely to be clones of a target.

Towards Using Source Code Repositories to Identify Software Supply Chain Attacks

The preliminary evaluation demonstrates that the proposed approach captures known attacks when malicious code was injected into PyPI packages, and the analysis of the 2666 software artifacts suggests that the technique is suitable for lightweight analysis of real-world packages.

Taxonomy of Attacks on Open-Source Software Supply Chains

This work proposes a general taxonomy for attacks on open- source supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution.

A Benchmark Comparison of Python Malware Detection Approaches

This work explores the security goals of the repository administrators and the requirements for deployments of such malware scanners via a case study of the Python ecosystem and PyPI repository, and evaluates existing malware detection techniques for deployment in this setting.

What are Weak Links in the npm Supply Chain?

The metadata of 1.63 million JavaScript npm packages was analyzed and six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers were proposed.

A Demand-Side Viewpoint to Software Vulnerabilities in WordPress Plugins

Analyzing known software vulnerabilities discovered from WordPress plugins finds that plugins with large installation bases have been affected by multiple vulnerabilities and contributes to the recent discussion about common security folklore.

On the Feasibility of Supervised Machine Learning for the Detection of Malicious Software Packages

A combination of multiple classifiers indicates a good viability of supervised machine learning for the detection of malicious packages by pre-selecting a feasible number of suspicious packages for further manual analysis.

A conflicts’ classification for IoT-based services: a comparative survey

Evidence is provided that the existing approaches have a gap in covering different conflicts’ levels and types which yields to minimize the correctness and safety of IoT systems, and the need to develop a safety and security compiler or tool for IoT systems is pointed out.

Documentation Generation as Information Visualization

An information visualization analysis of auto docs is used to generate potential design principles for improving their usability, e.g. by providing more information-dense visualizations of method signatures.



Impact assessment for vulnerabilities in open-source software libraries

This paper proposes a novel approach to support the impact assessment based on the analysis of code changes introduced by security fixes, using an illustrative example and performs a comparison with both proprietary and open-source state-of-the-art solutions.

A look in the mirror: attacks on package managers

This work analyzes current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly.

A Look at the Dynamics of the JavaScript Package Ecosystem

Analysis of the npm ecosystem from two complementary perspectives is presented, which provides insights into the ecosystem’s growth and activity, into conflicting measures of package popularity, and into the adoption of package versions over time.

In Dependencies We Trust: How vulnerable are dependencies in software modules?

The character of JavaScript modules relying on vulnerable components from a dependency viewpoint is explored and key findings indicate that the context use of the module and breaking changes are potential reasons for not resolving the vulnerable dependency.

AnDarwin: Scalable Detection of Android Application Clones Based on Semantics

A scalable approach to detecting similar Android apps based on their semantic information called AnDarwin, which can detect both full and partial app similarity and automatically detect library code and remove it from the similarity analysis.

Identification of Dependency-based Attacks on Node.js

The static code analysis that is implemented for T.J. Watson Libraries for Analysis (WALA) to detect the identified attacks and the evaluation of the analysis is integrated into OpenWhisk, an open source serverless cloud platform.

Tracking known security vulnerabilities in proprietary software systems

This paper presents the Vulnerability Alert Service (VAS), a tool-based process to track known vulnerabilities in software systems throughout their life cycle and studied its usefulness in the context of external software product quality monitoring provided by the Software Improvement Group.

A Large Scale Investigation of Obfuscation Use in Google Play

This first comprehensive analysis of the use of and challenges to software obfuscation in Android applications finds that only 24.92% of apps are obfuscated by the developer, with broad implications both for improving the security of Android apps and for all tools that aim to help developers write more secure software.

Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability

An approach that assesses the risk of vulnerability exploitability based on two software properties - attack surface entry points and reach ability analysis is proposed and results show that the proposed approach can yield a risk assessment that can be different from the CVSS Base Score.

MAST: triage for market-scale mobile malware analysis

This work presents the Mobile Application Security Triage architecture, a tool that helps to direct scarce malware analysis resources towards the applications with the greatest potential to exhibit malicious behavior, and shows that successful triage can dramatically reduce the costs of removing malicious applications from markets.