Litcius/Paper detail

Differential Static Analysis for Detecting Malicious Updates to Open Source Packages

Fabian Niklas Froh, Matías F. Gobbi, Johannes Kinder

202312 citationsDOI

Abstract

Modern software applications routinely integrate many third-party open source dependencies, with package managers delivering timely updates of the entire dependency tree. The downside is that malicious actors can inject malicious code into widely-used software packages, which is then distributed to potentially thousands of direct or indirect client applications. Such attacks on the software supply chain are no longer just theoretical curiosities, but a practical risk. To mitigate this risk, we propose a new approach using differential static analysis to flag malicious code modifications in package updates. We use specifications in the CodeQL query language to match suspicious behavior and compare results across package versions. Where we detect an anomalous change in behavior, we classify that package update as potentially malicious and requiring further analysis. We show that our approach successfully identifies all malicious versions on a dataset of packages with a history of malicious code; on a dataset of popular benign packages from the npm repository, we obtain on average 1.3% false alarms, demonstrating that our approach holds promise for practical deployment as a warning system on the open source software supply chain.

Topics & Concepts

Computer scienceSource codeTaint checkingSoftwareStatic analysisSoftware deploymentCode (set theory)MalwareStatic program analysisComputer securityDependency (UML)Open sourceSoftware engineeringOperating systemSoftware developmentProgramming languageSet (abstract data type)Advanced Malware Detection TechniquesSoftware Engineering ResearchScientific Computing and Data Management
Differential Static Analysis for Detecting Malicious Updates to Open Source Packages | Litcius