Analyzing Challenges in Deployment of the SLSA Framework for Software Supply Chain Security

• URL: http://arxiv.org/abs/2409.05014v2
• Date: Thu, 05 Dec 2024 03:12:04 GMT
• Title: Analyzing Challenges in Deployment of the SLSA Framework for Software Supply Chain Security
• Authors: Mahzabin Tamanna, Sivana Hamer, Mindy Tran, Sascha Fahl, Yasemin Acar, Laurie Williams,
• Abstract summary: This study analyzed 1,523 SLSA-related issues extracted from 233 GitHub repositories.<n>We identified four significant challenges and five suggested adoption strategies.<n>The suggested strategies include streamlining provenance generation processes, improving the SLSA verification process, and providing specific and detailed documentation.
• Score: 16.59946110914069
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: In 2023, Sonatype reported a 200\% increase in software supply chain attacks, including major build infrastructure attacks. To secure the software supply chain, practitioners can follow security framework guidance like the Supply-chain Levels for Software Artifacts (SLSA). However, recent surveys and industry summits have shown that despite growing interest, the adoption of SLSA is not widespread. To understand adoption challenges, \textit{the goal of this study is to aid framework authors and practitioners in improving the adoption and development of Supply-Chain Levels for Software Artifacts (SLSA) through a qualitative study of SLSA-related issues on GitHub}. We analyzed 1,523 SLSA-related issues extracted from 233 GitHub repositories. We conducted a topic-guided thematic analysis, leveraging the Latent Dirichlet Allocation (LDA) unsupervised machine learning algorithm, to explore the challenges of adopting SLSA and the strategies for overcoming these challenges. We identified four significant challenges and five suggested adoption strategies. The two main challenges reported are complex implementation and unclear communication, highlighting the difficulties in implementing and understanding the SLSA process across diverse ecosystems. The suggested strategies include streamlining provenance generation processes, improving the SLSA verification process, and providing specific and detailed documentation. Our findings indicate that some strategies can help mitigate multiple challenges, and some challenges need future research and tool enhancement.

Related papers

• Pushing the Limits of Safety: A Technical Report on the ATLAS Challenge 2025 [167.94680155673046]
  This report presents findings from the Adversarial Testing & Large-model Alignment Safety Grand Challenge (ATLAS) 2025.<n>The competition involved 86 teams testing MLLM vulnerabilities via adversarial image-text attacks in two phases: white-box and black-box evaluations.<n>The challenge establishes new benchmarks for MLLM safety evaluation and lays groundwork for advancing safer AI systems.
  arXiv  Detail & Related papers  (2025-06-14T10:03:17Z)
• Human Side of Smart Contract Fuzzing: An Empirical Study [0.0]
  This study investigates the challenges practitioners face when adopting SC fuzzing tools.<n>We categorize these challenges into a taxonomy based on their nature and occurrence within the SC fuzzing workflow.<n>Our findings reveal domain-specific ease-of-use and usefulness challenges, including technical issues with blockchain emulation.
  arXiv  Detail & Related papers  (2025-06-09T03:25:14Z)
• BugWhisperer: Fine-Tuning LLMs for SoC Hardware Vulnerability Detection [1.0816123715383426]
  This paper proposes a new framework named BugWhisperer to address the challenges of system-on-chips (SoCs) security verification.<n>We introduce an open-source, fine-tuned Large Language Model (LLM) specifically designed for detecting security vulnerabilities in SoCs.
  arXiv  Detail & Related papers  (2025-05-28T21:25:06Z)
• Thinking Longer, Not Larger: Enhancing Software Engineering Agents via Scaling Test-Time Compute [61.00662702026523]
  We propose a unified Test-Time Compute scaling framework that leverages increased inference-time instead of larger models.<n>Our framework incorporates two complementary strategies: internal TTC and external TTC.<n>We demonstrate our textbf32B model achieves a 46% issue resolution rate, surpassing significantly larger models such as DeepSeek R1 671B and OpenAI o1.
  arXiv  Detail & Related papers  (2025-03-31T07:31:32Z)
• Computational Safety for Generative AI: A Signal Processing Perspective [65.268245109828]
  computational safety is a mathematical framework that enables the quantitative assessment, formulation, and study of safety challenges in GenAI. We show how sensitivity analysis and loss landscape analysis can be used to detect malicious prompts with jailbreak attempts. We discuss key open research challenges, opportunities, and the essential role of signal processing in computational AI safety.
  arXiv  Detail & Related papers  (2025-02-18T02:26:50Z)
• LLMs in Software Security: A Survey of Vulnerability Detection Techniques and Insights [12.424610893030353]
  Large Language Models (LLMs) are emerging as transformative tools for software vulnerability detection. This paper provides a detailed survey of LLMs in vulnerability detection. We address challenges such as cross-language vulnerability detection, multimodal data integration, and repository-level analysis.
  arXiv  Detail & Related papers  (2025-02-10T21:33:38Z)
• Navigating the Risks: A Survey of Security, Privacy, and Ethics Threats in LLM-Based Agents [67.07177243654485]
  This survey collects and analyzes the different threats faced by large language models-based agents. We identify six key features of LLM-based agents, based on which we summarize the current research progress. We select four representative agents as case studies to analyze the risks they may face in practical use.
  arXiv  Detail & Related papers  (2024-11-14T15:40:04Z)
• Sok: Comprehensive Security Overview, Challenges, and Future Directions of Voice-Controlled Systems [10.86045604075024]
  The integration of Voice Control Systems into smart devices accentuates the importance of their security. Current research has uncovered numerous vulnerabilities in VCS, presenting significant risks to user privacy and security. This study introduces a hierarchical model structure for VCS, providing a novel lens for categorizing and analyzing existing literature in a systematic manner. We classify attacks based on their technical principles and thoroughly evaluate various attributes, such as their methods, targets, vectors, and behaviors.
  arXiv  Detail & Related papers  (2024-05-27T12:18:46Z)
• Large Language Model Supply Chain: A Research Agenda [5.1875389249043415]
  Large language models (LLMs) have revolutionized artificial intelligence, introducing unprecedented capabilities in natural language processing and multimodal content generation. This paper provides the first comprehensive research agenda of the LLM supply chain, offering a structured approach to identify critical challenges and opportunities.
  arXiv  Detail & Related papers  (2024-04-19T09:29:53Z)
• DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers [0.3754193239793766]
  adversaries utilize Social Engineering (SocE) techniques specifically aimed at software developers. This paper aims to comprehensively explore the existing and emerging SocE tactics employed by adversaries to trick Software Engineers (SWEs) into delivering malicious software.
  arXiv  Detail & Related papers  (2024-02-28T15:24:43Z)
• Chain-of-Thought Prompting of Large Language Models for Discovering and Fixing Software Vulnerabilities [21.787125867708962]
  Large language models (LLMs) have demonstrated impressive potential in various domains. In this paper, we explore how to leverage LLMs and chain-of-thought (CoT) prompting to address three key software vulnerability analysis tasks. We show substantial superiority of our CoT-inspired prompting over the baselines.
  arXiv  Detail & Related papers  (2024-02-27T05:48:18Z)
• X-lifecycle Learning for Cloud Incident Management using LLMs [18.076347758182067]
  Incident management for large cloud services is a complex and tedious process. Recent advancements in large language models [LLMs] created opportunities to automatically generate contextual recommendations. In this paper, we demonstrate that augmenting additional contextual data from different stages of SDLC improves the performance.
  arXiv  Detail & Related papers  (2024-02-15T06:19:02Z)
• Service Level Agreements and Security SLA: A Comprehensive Survey [51.000851088730684]
  This survey paper identifies state of the art covering concepts, approaches, and open problems of SLA management. It contributes by carrying out a comprehensive review and covering the gap between the analyses proposed in existing surveys and the most recent literature on this topic. It proposes a novel classification criterium to organize the analysis based on SLA life cycle phases.
  arXiv  Detail & Related papers  (2024-01-31T12:33:41Z)
• LLM for SoC Security: A Paradigm Shift [10.538841854672786]
  Large Language Models (LLMs) are celebrated for their remarkable success in natural language understanding, advanced reasoning, and program synthesis tasks. This paper offers an in-depth analysis of existing works, showcases practical case studies, demonstrates comprehensive experiments, and provides useful promoting guidelines.
  arXiv  Detail & Related papers  (2023-10-09T18:02:38Z)
• A Survey on Self-supervised Learning: Algorithms, Applications, and Future Trends [82.64268080902742]
  Self-supervised learning (SSL) aims to learn discriminative features from unlabeled data without relying on human-annotated labels. SSL has garnered significant attention recently, leading to the development of numerous related algorithms. This paper presents a review of diverse SSL methods, encompassing algorithmic aspects, application domains, three key trends, and open research questions.
  arXiv  Detail & Related papers  (2023-01-13T14:41:05Z)
• Inspect, Understand, Overcome: A Survey of Practical Methods for AI Safety [54.478842696269304]
  The use of deep neural networks (DNNs) in safety-critical applications is challenging due to numerous model-inherent shortcomings. In recent years, a zoo of state-of-the-art techniques aiming to address these safety concerns has emerged. Our paper addresses both machine learning experts and safety engineers.
  arXiv  Detail & Related papers  (2021-04-29T09:54:54Z)
• Transfer Learning for Future Wireless Networks: A Comprehensive Survey [49.746711269488515]
  This article aims to provide a comprehensive survey on applications of Transfer Learning in wireless networks. We first provide an overview of TL including formal definitions, classification, and various types of TL techniques. We then discuss diverse TL approaches proposed to address emerging issues in wireless networks.
  arXiv  Detail & Related papers  (2021-02-15T14:19:55Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.