Understanding and Mitigating Security Threats in Software Supply Chain

Feng Xiao

Ph.D. Candidate in Computer Science

School of Cybersecurity and Privacy

Georgia Institute of Technology

Date/Time: Nov 17, 2023, 2:00 PM to 4:00 PM Eastern Time (US and Canada)

Location: Coda C0915 Atlantic or join with zoom

Committee:

Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Brendan Saltaformaggio, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Saman Zonouz,  School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Frank Li, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Guangliang Yang, School of Computer Science, Fudan University

Abstract:

Modern software heavily relies on the software supply chain ecosystem to boost development efficiency and reduce costs. Unfortunately,  the inherent vastness, complexity, and interdependence of the software supply chain often render existing security techniques inadequate. Traditional methods often fall short in thoroughly understanding and validating the software supply chain. They also tend to overlook new risks that emerge.

To tackle the rising threats, I propose novel and efficient program analysis abstractions for the software supply chain, and implement these abstractions into a robust, end-to-end program analysis framework. In the defense, I first present LYNX and JASMINE, which are automatic tools to assist developers in understanding the security-related properties of complex supply chain software. Next, I will present XGuard, a tool designed for developers to implement robust and efficient security protection. This tool utilizes the comprehensive security properties identified by LYNX and JASMINE to automatically generate detailed protection policies. With the policy, XGuard ensures the integrity of data and control flow within the supply chain software.