OSSIntegrity: Collaborative open-source code integrity verification

Abstract

Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries used by the target. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not target general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose (SC)2V — secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. (SC)2V is aimed at preventing targeted supply chain attacks and is integrated in the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. (SC)2V involves both users (developers seeking to verify an OSS library) and verifiers that contribute to the collaborative verification effort. (SC)2V considers a library as verified and safe when a consensus is reached among the verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 s to issue an alert against the attacks.