Sponsored by WTD81.

Reuse of software components is a fundamental building block of software engineering. Today’s developers can quickly realize complex projects by wiring together components and libraries, choosing from a vast range of open source code. On the one hand, this eliminates repetition and therefore opportunities to accidentally introduce vulnerabilities, e.g., by relying verified and verifiable implementations of crypto libraries. On the other hand, it creates a potentially long software supply chain of transitive dependencies, where each element has to be trusted. Malicious code implanted at any point in the supply chain can propagate into critical systems. Already there have been several cases of open source developers having their credentials stolen to upload malicious code into popular libraries. With open source repositories effectively becoming critical infrastructure, we need reliable methods to verify and validate source code.

The goal of DEMISEC is to develop techniques for automatic vetting of open source repositories, in particular for detecting implants of malicious code in source code. We will use a mix of static and dynamic techniques to achieve this goal: fuzzing or symbolic execution for differential testing of program versions, and modeling of implant code to detect dangerous patterns in code repositories using static analysis. In collaboration with Prof. Brunthaler's µSRL lab, we will investigate Quick-Vetting for the light-weight attestation of pre-vetted software components. Finally, we will conduct large scale studies on open source code to evaluate the project outcomes.