DEMISEC Project Officially Started

1 September 2021

The project DEMISEC: Detection of Malicious Implants in Source Code has officially started. The project will investigate techniques for automatic vetting of open source repositories, in particular for detecting implants of malicious code in source code. We have two open positions related to the project, apply now!

Reuse of software components is a fundamental building block of software engineering. Today’s developers can quickly realize complex projects by wiring together components and libraries, choosing from a vast range of open source code. On the one hand, this eliminates repetition and therefore opportunities to accidentally introduce vulnerabilities, e.g., by relying verified and verifiable implementations of crypto libraries. On the other hand, it creates a potentially long software supply chain of transitive dependencies, where each element has to be trusted. Malicious code implanted at any point in the supply chain can propagate into critical systems. Already there have been several cases of open source developers having their credentials stolen to upload malicious code into popular libraries. With open source repositories effectively becoming critical infrastructure, we need reliable methods to verify and validate source code.