RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains.
Saved in:
| Title: | RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains. |
|---|---|
| Authors: | Sofaer, Raphael J.1 r.j.sofaer@columbia.edu, David, Yaniv1 yaniv.david@columbia.edu, Kang, Mingqing2 mkang31@jhu.edu, Yu, Jianjia2 jyu122@jhu.edu, Cao, Yinzhi2 yinzhi.cao@jhu.edu, Yang, Junfeng1 junfeng@cs.columbia.edu, Nieh, Jason1 nieh@cs.columbia.edu |
| Source: | ICSE: International Conference on Software Engineering. 2024, p1-13. 13p. |
| Subjects: | Data flow computing, Supply chains, Extrapolation, Supply & demand, Malware |
| Abstract: | Rogue updates, an important type of software supply-chain attack in which attackers conceal malicious code inside updates to benign software, are a growing problem due to their stealth and effectiveness. We design and implement RogueOne, a system for detecting rogue updates to JavaScript packages. RogueOne uses a novel differential data-flow analysis to capture how an update changes a package's interactions with external APIs. Using an efficient form of abstract interpretation that can exclude unchanged code in a package, it constructs an object data-flow relationship graph (ODRG) that tracks data-flows among objects. RogueOne then maps objects to trust domains, a novel abstraction which summarizes trust relationships in a package. Objects are assigned a trust domain based on whether they originate in the target package, a dependency, or in a system API. RogueOne uses the ODRG to build a set of data-flows across trust domains. It compares data-flow sets across package versions to detect untrustworthy new interactions with external APIs. We evaluated RogueOne on hundreds of npm packages, demonstrating its effectiveness at detecting rogue updates and distinguishing them from benign ones. RogueOne achieves high accuracy and can be more than seven times as effective in detecting rogue updates and avoiding false positives compared to other systems built to detect malicious packages. [ABSTRACT FROM AUTHOR] |
| Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
|
Full text is not displayed to guests.
Login for full access.
|
|
Be the first to leave a comment!
