Skip to main content
ATLAS Group

Automating Protections Against Software Supply-Chain Threats #

Modern applications incorporate thousands of existing software components as a means of accelerating development and reducing cost—at a significant risk to safety and security, for both developers and end-users. We are developing systems for automatically improving the security of large and complex modern applications, and more broadly entire software ecosystems, by analyzing, transforming, and synthesizing software components against a variety of threat models.

Papers: Our PLOS17 paper identifies key security problems with third-party libraries and sketches a solution that leverages program transformations to lower (and lock) the privilege of individual libraries. Our NDSS18 paper proposes automated transformations that use operating-system protection mechanisms to isolate selected libraries. Our FSE21 paper proposes language-based instrumentation techniques applied to the context around each library to offer low-overhead Turing-complete runtime analysis and isolation. One of our CCS21 papers proposes a read-write-execute (RWX) permission model at the library boundary, combined with static and load-time program analysis that automates permission inference — minimizing developer effort to secure these libraries. Our other CCS21 paper uses active learning and regeneration to synthesize vulnerability-free replacement libraries that fall under certain computational domains.

Our recent systems allow specifying, inferring, and enforcing security policies around individual components—such as libraries or modules—automatically.

presented at AsiaCCS23 and ACSAC22, protect against memory-unsafe native addons, such as JavaScript or Python libraries developed in C/C++, and offer application-level support for privilege separation. And our ICSE23 paper proposes a collection of executable security benchmarks that can be used to evaluate defenses against supply-chain security issues.

Ongoing work: Our current research (1) develops the model behind library recontextualization and its proofs of soundness properties, (2) proposes the combination of static and dynamic analysis techniques to address accuracy and compatibility challenges in shielding third-party libraries, and (3) advocates the use of Large Language Models (LLMs) to overcome the scalability limitations of vulnerability-free library regeneration.

Software & Systems:

  • BinWrap is a system for protecting applications written in high-level, memory-safe languages from the security problems of memory-unsafe libraries.
  • Lya is a system for dynamic program analysis and instrumentation at the boundaries of JavaScript libraries. It forms the basis for much of our runtime security work around JavaScript.
  • Mir is a system for static analysis at the boundaries of JavaScript libraries.

Technology Transition:

Aarno Labs and Require Security are companies transitioning state-of-the-art supply-chain security technologies that the group is developing or has developed in the past.

Press:

  • Brown CS article published an article on BrinWrap, our hybrid protection system for native JavaScript addons.