Supply chain attack

Abstract: Third-party dependencies may introduce security risks to the software supply chain and hence yield harm to their dependent software. There are many known cases of malicious open source packages posing risks to developers and end users. However, while efforts are made to detect vulnerable open source packages, malicious packages are not yet considered explicitly. In order to tackle this problem we perform an exploratory case study on previously occurred attacks on the software supply chain with respect to observable artifacts created. Based on gained insights, we propose Buildwatch, a framework for dynamic analysis of software and its third-party dependencies. We noticed that malicious packages introduce a significant amount of new artifacts during installation when compared to benign versions of the same package. The paper presents a first analysis of observable artifacts of malicious packages as well as a possible mitigation strategy that might lead to more insight in long term.

Abstract: Physical limit of transistor miniaturization has driven chip design into the third dimension. 3D integration technology emerges as a viable option to improve chip performance and increase device density in a direction orthogonal to costly device scaling. As 3D integration is becoming a promising technology for next-generation chip design, recent years have seen a huge proliferation of research literature exploiting it from a security perspective. This paper presents a survey on the current state of 3D integration technology from a security perspective and summarizes its security opportunities and challenges. We report current research work on 3D integration based security in three major applications: supply chain attack prevention, side-channel attack mitigation, and trustworthy computing system design. The security advantages and opportunities of 3D integration in these security applications are highlighted. Besides, the paper discusses new vulnerabilities risen by 3D integration that require researchers’ attention. Based on the survey result, we summarize the distinct characteristics of 3D ICs and investigate their impacts on security-aware 3D IC designs.

Abstract: : During FY13, MITRE conducted an effort on behalf of the Office of the Assistant Secretary of Defense for Systems Engineering (DASD SE) to address supply chain attacks relevant to Department of Defense (DoD) acquisition program protection planning. The objectives of this work were to: * Pull together a comprehensive set of data sources to provide a holistic view of supply chain attacks of malicious insertion that, to date, has not been available. * Generate a catalog of attack patterns that provides a structure for maturing the supply chain risk management (SCRM) aspects of system security engineering (SSE), together with potential application approaches for assessing malicious insertion in critical components of DoD systems being acquired or sustained.