Sok: Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
Research directions in software supply chain security
Reusable software libraries, frameworks, and components, such as those provided by open-
source ecosystems and third-party suppliers, accelerate digital innovation. However, recent …
source ecosystems and third-party suppliers, accelerate digital innovation. However, recent …
Software supply chain: review of attacks, risk assessment strategies and security controls
The software product is a source of cyber-attacks that target organizations by using their
software supply chain as a distribution vector. As the reliance of software projects on open …
software supply chain as a distribution vector. As the reliance of software projects on open …
Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
Preventing dynamic library compromise on node. js via rwx-based privilege reduction
Third-party libraries ease the development of large-scale software systems. However,
libraries often execute with significantly more privilege than needed to complete their task …
libraries often execute with significantly more privilege than needed to complete their task …
Precise and efficient patch presence test for android applications against code obfuscation
Third-party libraries (TPLs) are widely utilized by Android developers to implement new
apps. Unfortunately, TPLs are often suffering from various vulnerabilities, which could be …
apps. Unfortunately, TPLs are often suffering from various vulnerabilities, which could be …
An empirical study on using large language models to analyze software supply chain security failures
As we increasingly depend on software systems, the consequences of breaches in the
software supply chain become more severe. High-profile cyber attacks like SolarWinds and …
software supply chain become more severe. High-profile cyber attacks like SolarWinds and …
Detecting third-party library problems with combined program analysis
Third-party libraries ease the software development process and thus have become an
integral part of modern software engineering. Unfortunately, they are not usually vetted by …
integral part of modern software engineering. Unfortunately, they are not usually vetted by …
Skipfuzz: Active learning-based input selection for fuzzing deep learning libraries
Many modern software systems are enabled by deep learning libraries such as TensorFlow
and PyTorch. As deep learning is now prevalent, the security of deep learning libraries is a …
and PyTorch. As deep learning is now prevalent, the security of deep learning libraries is a …
1dFuzz: Reproduce 1-Day Vulnerabilities with Directed Differential Fuzzing
1-day vulnerabilities are common in practice and have posed severe threats to end users, as
adversaries could learn from released patches to find them and exploit them. Reproducing 1 …
adversaries could learn from released patches to find them and exploit them. Reproducing 1 …