GoSurf: Identifying Software Supply Chain Attack Vectors in Go

• URL: http://arxiv.org/abs/2407.04442v2
• Date: Tue, 17 Sep 2024 14:18:14 GMT
• Title: GoSurf: Identifying Software Supply Chain Attack Vectors in Go
• Authors: Carmine Cesarano, Vivi Andersson, Roberto Natella, Martin Monperrus,
• Abstract summary: We propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle. Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem.
• Score: 9.91891839872381
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: In Go, the widespread adoption of open-source software has led to a flourishing ecosystem of third-party dependencies, which are often integrated into critical systems. However, the reuse of dependencies introduces significant supply chain security risks, as a single compromised package can have cascading impacts. Existing supply chain attack taxonomies overlook language-specific features that can be exploited by attackers to hide malicious code. In this paper, we propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle. Our taxonomy identifies patterns in which language-specific Go features, intended for benign purposes, can be misused to propagate malicious code stealthily through supply chains. Additionally, we introduce GoSurf, a static analysis tool that analyzes the attack surface of Go packages according to our proposed taxonomy. We evaluate GoSurf on a corpus of widely used, real-world Go packages. Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem, allowing developers and security analysts to prioritize code audit efforts and uncover hidden malicious behaviors.

Related papers

• Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
  Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks. Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges. We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
  arXiv  Detail & Related papers  (2025-02-10T16:50:48Z)
• Importing Phantoms: Measuring LLM Package Hallucination Vulnerabilities [11.868859925111561]
  Large Language Models (LLMs) have become an essential tool in the programmer's toolkit. Their tendency to hallucinate code can be used by malicious actors to introduce vulnerabilities to broad swathes of the software supply chain.
  arXiv  Detail & Related papers  (2025-01-31T10:26:18Z)
• Enhancing Supply Chain Visibility with Generative AI: An Exploratory Case Study on Relationship Prediction in Knowledge Graphs [52.79646338275159]
  Relationship prediction aims to increase the visibility of supply chains using data-driven techniques. Existing methods have been successful for predicting relationships but struggle to extract the context in which these relationships are embedded. Lack of context prevents practitioners from distinguishing transactional relations from established supply chain relations.
  arXiv  Detail & Related papers  (2024-12-04T15:19:01Z)
• OSS Malicious Package Analysis in the Wild [17.028240712650486]
  This paper builds and curates the largest dataset of 23,425 malicious packages from scattered online sources. We then propose a knowledge graph to represent the OSS malware corpus and conduct malicious package analysis in the wild.
  arXiv  Detail & Related papers  (2024-04-07T15:25:13Z)
• Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain With Auto-generated Static Analysis Rules [1.9591497166224197]
  We propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules. Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code. We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++.
  arXiv  Detail & Related papers  (2024-01-23T02:23:11Z)
• Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem [0.773844059806915]
  A comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
  arXiv  Detail & Related papers  (2023-12-31T14:53:51Z)
• Exploring Security Practices in Infrastructure as Code: An Empirical Study [54.669404064111795]
  Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools. scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
  arXiv  Detail & Related papers  (2023-08-07T23:43:32Z)
• Language Model Decoding as Likelihood-Utility Alignment [54.70547032876017]
  We introduce a taxonomy that groups decoding strategies based on their implicit assumptions about how well the model's likelihood is aligned with the task-specific notion of utility. Specifically, by analyzing the correlation between the likelihood and the utility of predictions across a diverse set of tasks, we provide the first empirical evidence supporting the proposed taxonomy.
  arXiv  Detail & Related papers  (2022-10-13T17:55:51Z)
• Software Vulnerability Detection via Deep Learning over Disaggregated Code Graph Representation [57.92972327649165]
  This work explores a deep learning approach to automatically learn the insecure patterns from code corpora. Because code naturally admits graph structures with parsing, we develop a novel graph neural network (GNN) to exploit both the semantic context and structural regularity of a program.
  arXiv  Detail & Related papers  (2021-09-07T21:24:36Z)
• A System for Efficiently Hunting for Cyber Threats in Computer Systems Using Threat Intelligence [78.23170229258162]
  We build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, and (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors.
  arXiv  Detail & Related papers  (2021-01-17T19:44:09Z)
• Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence [94.94833077653998]
  ThreatRaptor is a system that facilitates threat hunting in computer systems using open-source Cyber Threat Intelligence (OSCTI) It extracts structured threat behaviors from unstructured OSCTI text and uses a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.
  arXiv  Detail & Related papers  (2020-10-26T14:54:01Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.