-
An Industry Interview Study of Software Signing for Supply Chain Security
Authors:
Kelechi G. Kalu,
Tanya Singla,
Chinenye Okafor,
Santiago Torres-Arias,
James C. Davis
Abstract:
Many software products are composed by the recursive integration of components from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measu…
▽ More
Many software products are composed by the recursive integration of components from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. These findings raise questions about the practical application of software signing, the human factors influencing its adoption, and the challenges faced during its implementation. We lack in-depth industry perspectives on the challenges and practices of software signing.
To understand software signing in practice, we interviewed 18 high-ranking industry practitioners across 13 organizations. We provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. We also study the challenges that affect an effective software signing implementation. To summarize our findings: (1) We present a refined model of the software supply chain factory model highlighting practitioner's signing practices; (2) We highlight the different challenges -- Technical, Organizational, and Human -- that hamper software signing implementation; (3) We report that expert subjects disagree on the importance of signing; (4) We describe how failure incidents and industry standards affect the adoption of software signing and other security techniques. Our findings contribute to the understanding of software supply chain security by highlighting the impact of human and organizational factors on Software Supply Chain risks and providing nuanced insights for effectively implementing Software Supply Chain security controls -- towards Software signing in practice.
△ Less
Submitted 12 June, 2024;
originally announced June 2024.
-
ZTD$_{JAVA}$: Mitigating Software Supply Chain Vulnerabilities via Zero-Trust Dependencies
Authors:
Paschal C. Amusuo,
Kyle A. Robinson,
Tanmay Singla,
Huiyun Peng,
Aravind Machiry,
Santiago Torres-Arias,
Laurent Simon,
James C. Davis
Abstract:
Third-party software components like Log4J accelerate software application development but introduce substantial risk. These components have led to many software supply chain attacks. These attacks succeed because third-party software components are implicitly trusted in an application. Although several security defenses exist to reduce the risks from third-party software components, none of them…
▽ More
Third-party software components like Log4J accelerate software application development but introduce substantial risk. These components have led to many software supply chain attacks. These attacks succeed because third-party software components are implicitly trusted in an application. Although several security defenses exist to reduce the risks from third-party software components, none of them fulfills the full set of requirements needed to defend against common attacks. No individual solution prevents malicious access to operating system resources, is dependency-aware, and enables the discovery of least privileges, all with low runtime costs. Consequently, they cannot prevent software supply chain attacks.
This paper proposes applying the NIST Zero Trust Architecture to software applications. Our Zero Trust Dependencies concept applies the NIST ZTA principles to an application's dependencies. First, we assess the expected effectiveness and feasibility of Zero Trust Dependencies using a study of third-party software components and their vulnerabilities. Then, we present a system design, ZTDSYS, that enables the application of Zero Trust Dependencies to software applications and a prototype, ZTDJAVA, for Java applications. Finally, with evaluations on recreated vulnerabilities and realistic applications, we show that ZTDJAVA can defend against prevalent vulnerability classes, introduces negligible cost, and is easy to configure and use.
△ Less
Submitted 25 April, 2024; v1 submitted 21 October, 2023;
originally announced October 2023.
-
An Empirical Study on Using Large Language Models to Analyze Software Supply Chain Security Failures
Authors:
Tanmay Singla,
Dharun Anandayuvaraj,
Kelechi G. Kalu,
Taylor R. Schorlemmer,
James C. Davis
Abstract:
As we increasingly depend on software systems, the consequences of breaches in the software supply chain become more severe. High-profile cyber attacks like those on SolarWinds and ShadowHammer have resulted in significant financial and data losses, underlining the need for stronger cybersecurity. One way to prevent future breaches is by studying past failures. However, traditional methods of anal…
▽ More
As we increasingly depend on software systems, the consequences of breaches in the software supply chain become more severe. High-profile cyber attacks like those on SolarWinds and ShadowHammer have resulted in significant financial and data losses, underlining the need for stronger cybersecurity. One way to prevent future breaches is by studying past failures. However, traditional methods of analyzing these failures require manually reading and summarizing reports about them. Automated support could reduce costs and allow analysis of more failures. Natural Language Processing (NLP) techniques such as Large Language Models (LLMs) could be leveraged to assist the analysis of failures. In this study, we assessed the ability of Large Language Models (LLMs) to analyze historical software supply chain breaches. We used LLMs to replicate the manual analysis of 69 software supply chain security failures performed by members of the Cloud Native Computing Foundation (CNCF). We developed prompts for LLMs to categorize these by four dimensions: type of compromise, intent, nature, and impact. GPT 3.5s categorizations had an average accuracy of 68% and Bard had an accuracy of 58% over these dimensions. We report that LLMs effectively characterize software supply chain failures when the source articles are detailed enough for consensus among manual analysts, but cannot yet replace human analysts. Future work can improve LLM performance in this context, and study a broader range of articles and failures.
△ Less
Submitted 9 August, 2023;
originally announced August 2023.
-
An alternate approach to simulate the dynamics of perturbed liquid drops
Authors:
Tanu Singla,
Tanushree Roy,
P. Parmananda,
M. Rivera
Abstract:
Liquid drops when subjected to external periodic perturbations can execute polygonal oscillations. In this work, a simple model is presented that demonstrates these oscillations and their characteristic properties. The model consists of a spring-mass network such that the masses are analogous to liquid molecules and the springs are to intermolecular forces. Neo-Hookean springs are considered to re…
▽ More
Liquid drops when subjected to external periodic perturbations can execute polygonal oscillations. In this work, a simple model is presented that demonstrates these oscillations and their characteristic properties. The model consists of a spring-mass network such that the masses are analogous to liquid molecules and the springs are to intermolecular forces. Neo-Hookean springs are considered to represent these intermolecular forces. The restoring force of a neo-Hookean spring depends nonlinearly on its length such that the force of a compressed spring is much higher than the force of a spring elongated by the same amount. This is equivalent to the incompressibility of liquids, making these springs suitable to simulate the polygonal oscillations. It is shown that this spring-mass network can imitate most of the characteristic features of experimentally reported polygonal oscillations. Additionally, it is shown that the network can execute certain dynamics which so far have not been observed in a perturbed liquid drop. The features of dynamics which are observed in the perturbed network are: polygonal oscillations, rotation of network, numerical relations (rational and irrational) between the frequencies of polygonal oscillations and the forcing signal, and the dependency of the shape of the polygons on the parameters of perturbation.
△ Less
Submitted 20 September, 2021; v1 submitted 17 June, 2021;
originally announced June 2021.
-
Explosive synchronization in temporal networks: A comparative study
Authors:
Tanu Singla,
M. Rivera
Abstract:
We present a comparative study on Explosive Synchronization (ES) in temporal networks consisting of phase oscillators. The temporal nature of the networks is modeled with two configurations: (1) oscillators are allowed to move in a closed two dimensional box such that they couple with their neighbors, (2) oscillators are static and they randomly switch their coupling partners. Configuration (1) is…
▽ More
We present a comparative study on Explosive Synchronization (ES) in temporal networks consisting of phase oscillators. The temporal nature of the networks is modeled with two configurations: (1) oscillators are allowed to move in a closed two dimensional box such that they couple with their neighbors, (2) oscillators are static and they randomly switch their coupling partners. Configuration (1) is further studied under two possible scenarios: in the first case oscillators couple to fixed numbers of neighbors while in other they couple to all oscillators lying in their circle of vision. Under these circumstances, we monitor the degrees of temporal networks, velocities, and radius of circle of vision of the oscillators, and the probability of forming connections in order to study and compare the critical values of the coupling required to induce ES in the population of phase oscillators.
△ Less
Submitted 16 November, 2020; v1 submitted 19 July, 2020;
originally announced July 2020.
-
Sounds of Leidenfrost drops
Authors:
Tanu Singla,
M. Rivera
Abstract:
We show that when a drop of water is maintained in its Leidenfrost regime, a sound in the form of periodic beats emits from the drop. The process of beat emission involves two distinct frequencies. One component is the frequency of beats itself and second is the frequency of sound in every beat which is emitted when one oscillation in the drop occurs. Experiments have been performed by placing a d…
▽ More
We show that when a drop of water is maintained in its Leidenfrost regime, a sound in the form of periodic beats emits from the drop. The process of beat emission involves two distinct frequencies. One component is the frequency of beats itself and second is the frequency of sound in every beat which is emitted when one oscillation in the drop occurs. Experiments have been performed by placing a drop of water over a concave metallic surface and the beats of the drop were recorded by fixing a microphone above the drop. A video camera was also fixed above the drop to record its oscillations. Simple analytical techniques like Fourier and wavelet transforms of the audio signals and image processing of the videos of the drop have been used to gain insight about mechanism of beat emission process. This analysis also helped us in studying the dependence of frequencies, if any, on the radius of the drop and the substrate temperature.
△ Less
Submitted 27 May, 2020; v1 submitted 22 February, 2020;
originally announced February 2020.
-
Effect of discrete time observations on synchronization in Chua model and applications to data assimilation
Authors:
Md. Nurujjaman,
Sumanth Shivamurthy,
Amit Apte,
Tanu Singla,
P. Parmananda
Abstract:
Recent studies show indication of the effectiveness of synchronization as a data assimilation tool for small or meso-scale forecast when less number of variables are observed frequently. Our main aim here is to understand the effects of changing observational frequency and observational noise on synchronization and prediction in a low dimensional chaotic system, namely the Chua circuit model. We p…
▽ More
Recent studies show indication of the effectiveness of synchronization as a data assimilation tool for small or meso-scale forecast when less number of variables are observed frequently. Our main aim here is to understand the effects of changing observational frequency and observational noise on synchronization and prediction in a low dimensional chaotic system, namely the Chua circuit model. We perform {\it identical twin experiments} in order to study synchronization using discrete-in-time observations generated from independent model run and coupled unidirectionally to the model through $x$, $y$ and $z$ separately. We observe synchrony in a finite range of coupling constant when coupling the x and y variables of the Chua model but not when coupling the z variable. This range of coupling constant decreases with increasing levels of noise in the observations. The Chua system does not show synchrony when the time gap between observations is greater than about one-seventh of the Lyapunov time. Finally, we also note that prediction errors are much larger when noisy observations are used than when using observations without noise.
△ Less
Submitted 16 November, 2011;
originally announced November 2011.