Software Supply-Chain Security #
Papers: Our PLOS17 paper identifies key security problems with third-party libraries and sketches a solution that leverages program transformations to lower (and lock) the privilege of individual libraries. Our NDSS18 paper proposes automated transformations that use operating-system protection mechanisms to isolate selected libraries. Our FSE21 paper proposes language-based instrumentation techniques applied to the context around each library to offer low-overhead Turing-complete runtime analysis and isolation. One of our CCS21 papers proposes a read-write-execute (RWX) permission model at the library boundary, combined with static and load-time program analysis that automates permission inference — minimizing developer effort to secure these libraries. Our other CCS21 paper uses active learning and regeneration to synthesize vulnerability-free replacement libraries that fall under certain computational domains.
Ongoing work: Our current research (1) develops the model behind library recontextualization and its proofs of soundness properties, (2) proposes the combination of static and dynamic analysis techniques to address accuracy and compatibility challenges in shielding third-party libraries, and (3) advocates the use of Large Language Models (LLMs) to overcome the scalability limitations of vulnerability-free library regeneration.
Software & Systems:
- BinWrap is a system for protecting applications written in high-level, memory-safe languages from the security problems of memory-unsafe libraries.
Require Security is a company transitioning some of these and other supply-chain security technologies to industry.
- Brown CS article on BrinWrap our language-binary protection system.