SaTC: CORE: Small: Trustworthy Dependency Management

SaTC：核心：小型：值得信赖的依赖管理

• 批准号: 1717022
• 负责人: Christian Kastner
• 金额: $ 49.99万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-08-01 至 2021-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1717022&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Trustworthy; Dependency

Software development increasingly relies on reusing platforms, libraries, and frameworks developed independently by third parties with little coordination, which provides significant value to participants through reuse. A security threat that has received relatively little attention is attacks through malicious package updates, which are particularly threatening in platforms with many frequently updating package dependencies, such as Node.js. The burden of reviewing all updates of all dependencies for security issues is too high for most developers. In this setting, automated solutions will reduce the attack surface, guide manual effort, and as a result, allow developers to trust packages and their updates with low enough effort to make it practical.This research will raise awareness of the problem and develop tools to significantly reduce risks and costs associated with dependency management. It will develop both heuristic and sound approaches to increase trust in package updates. It will focus on Javascript packages on the widely used package manager npm. Heuristic approaches will guide the attention of human reviewers toward suspicious updates. A permission model will establish trust of many, especially small and simple, packages. The work will significantly reduce the attack surface and restrict exploits through malicious package updates. The increased trust in package managers and corresponding lower risks and costs will  benefit not only professional developers, but also scientists, hobbyists, and end-user programmers that often have less experience with computer security and can be an easy target for attackers.

软件开发越来越依赖于由第三方独立开发的平台、库和框架的重用，几乎不需要协调，这通过重用为参与者提供了重要的价值。一种相对较少受到关注的安全威胁是通过恶意包更新进行的攻击，这在Node.js等具有许多频繁更新包依赖项的平台上尤其具有威胁。对于大多数开发人员来说，审查安全问题的所有依赖项的所有更新的负担太重了。在这种情况下，自动化的解决方案将减少攻击面，引导手动工作，结果是允许开发人员以足够低的努力信任包及其更新，从而使其具有实用性。这项研究将提高对问题的认识，并开发工具来显著降低与依赖项管理相关的风险和成本。它将开发启发式和合理的方法来增加对包更新的信任。它将重点放在Java包上广泛使用的包管理器NPM上。启发式方法将引导人类审查者的注意力转向可疑的更新。权限模型将建立对许多包的信任，特别是小的和简单的包。这项工作将显著减少攻击面，并通过恶意程序包更新限制利用。对包管理器的信任增加以及相应的较低风险和成本不仅将使专业开发人员受益，而且还将使科学家、业余爱好者和最终用户程序员受益，这些人通常对计算机安全缺乏经验，很容易成为攻击者的目标。

项目成果

Containing Malicious Package Updates in npm with a Lightweight Permission System

• DOI: 10.1109/icse43902.2021.00121
• 发表时间: 2021-03
• 期刊: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)
• 作者: G. Ferreira;Limin Jia;Joshua Sunshine;Christian Kästner