Unearthing Malicious And Other “Risky” Open-Source Packages Using Packj
From a benign left-pad beginning to recent protestware, software supply chain attacks on open-source package managers such as NPM and PyPI have grown manifold. Bad actors today leverage highly sophisticated techniques such as typo-squatting, repo-jacking, and social engineering to "supply" malicious code. Yet, there is no robust way to analyze packages and measure risks. Metrics such as Github stars/forks are attacker-controlled and can be faked.
In this presentation, we will present a data-driven security analysis framework, called PACKJ, to measure, and control the level of potential supply chain risks when adopting open-source packages. The framework relies on empirically identified (and validated) "risky" code and metadata attributes that makes a package vulnerable to supply chain attacks. Examples include the use of filesystem/network APIs, lack of two-factor authentication, and metadata impersonation. PACKJ employs static code analysis, dynamic tracing, and metadata checks for detecting the presence (or absence) of such risky attributes.
Using our security framework, we have built a large-scale automated system for continuous vetting of packages, and have already identified several abandoned and malicious packages. In this presentation, we will discuss our tool, highlight our findings as well as different types of attacks, and demo our tool to detect "risky" packages and mitigate supply chain attacks.
Ashish is a published author and researcher with a Ph.D. in Computer Science from Georgia Institute of Technology and extensive experience in building secure systems software from the ground-up. He has worked in the industry for over a decade, coupled with nearly a decade of top-tier academic research. Ashish has presented his work at top-tier academic conferences, such as USENIX ATC, ACM SIGMETRICS, NDSS, and CSS. He also frequently speaks at premier industry conferences as well, such as Open Source Summit, PyCon, Linux Plumbers Conference, BlackHAT, and PackagingCon.
Devdutt is the Head of Partnerships and Product Engineering at Ossillate Inc. He is an engineering leader and inventor with a strong record in bringing category-leading products to the market. He has worked in roles spanning engineering & product. He has about two decades of experience in the industry & academia spanning edge-to-cloud software systems. He is also a published author with research in security & network systems software, with 20+ US and International granted patents. He has experience in startup incubation at an early stage in his career. Devdutt holds a Master’s Degree in Systems & Networking with an emphasis on Security, from Georgia Tech.