Skip to main content

Software Supply-Chain Security #

Modern software incorporates thousands of dependencies as a means of accelerating its development and reducing its cost—at a significant risk to safety and security for both developers and end-users. We have built a series of systems targeting the JavaScript dependency ecosystem—the largest such ecosystem out there—automating the analysis, transformation, and synthesis of dependencies across a variety of threat models.

Papers: Our PLOS17 paper identifies key security problems with third-party libraries and sketches a solution that leverages program transformations to lower (and lock) the privilege of individual libraries. Our NDSS18 paper proposes automated transformations that use operating-system protection mechanisms to isolate selected libraries. Our FSE21 paper proposes language-based instrumentation techniques applied to the context around each library to offer low-overhead Turing-complete runtime analysis and isolation. One of our CCS21 papers proposes a read-write-execute (RWX) permission model at the library boundary, combined with static and load-time program analysis that automates permission inference — minimizing developer effort to secure these libraries. Our other CCS21 paper uses active learning and regeneration to synthesize vulnerability-free replacement libraries that fall under certain computational domains.

Our recent systems, presented at AsiaCCS23 and ACSAC22, protect against memory-unsafe native addons, such as JavaScript or Python libraries developed in C/C++, and offer application-level support for privilege separation. And our ICSE23 paper proposes a collection of executable security benchmarks that can be used to evaluate defenses against supply-chain security issues.

Ongoing work: Our current research (1) develops the model behind library recontextualization and its proofs of soundness properties, (2) proposes the combination of static and dynamic analysis techniques to address accuracy and compatibility challenges in shielding third-party libraries, and (3) advocates the use of Large Language Models (LLMs) to overcome the scalability limitations of vulnerability-free library regeneration.

Software & Systems:

  • Lya is a system for dynamic program analysis and instrumentation at the boundaries of JavaScript libraries. It forms the basis for much of our runtime security work around JavaScript.
  • Mir is a system for static analysis at the boundaries of JavaScript libraries.
  • BinWrap is a system for protecting applications written in high-level, memory-safe languages from the security problems of memory-unsafe libraries.

Technology Transition:

Require Security is a company transitioning some of these and other supply-chain security technologies to industry.