.d8888b. 888 888 d8888 8888888 888b 888 .d8888b.
d88P Y88b 888 888 d88888 888 8888b 888 d88P Y88b
888 888 888 888 d88P888 888 88888b 888 Y88b.
888 8888888888 d88P 888 888 888Y88b 888 "Y888b.
888 888 888 d88P 888 888 888 Y88b888 "Y88b.
888 888 888 888 d88P 888 888 888 Y88888 "888
Y88b d88P 888 888 d8888888888 888 888 Y8888 Y88b d88P
"Y8888P" 888 888 d88P 888 8888888 888 Y888 "Y8888P"
CHAINS is a research project at KTH Royal Institute of Technology, it is about hardening the software supply chain, incl. dependency engineering as well as reproducible, executable and verifiable builds and SBOMs. We primarily look at Maven, NPM, and the software supply chain of crypto. The project is funded by the Swedish Foundation for Strategic research (SSF). We are recruiting software engineers, postdocs, and interns, get in touch!
<dependency>
<groupId>com.martiansoftware</groupId>
<artifactId>jsap</artifactId>
<version>2.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.36</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
</dependency>
(chronological order)
- The Multibillion Dollar Software Supply Chain of Ethereum, IEEE Computer, 2022
- Diverse Double-Compiling to Harden Cryptocurrency Software, Master's thesis Niklas Rosencrantz, 2023
- Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js, Usenix Security 2023
- Challenges of Producing Software Bill Of Materials for Java, IEEE Security & Privacy, 2023
- GitBark: A Rule-Based Framework for Maintaining Integrity in Source Code Repositories, Master's thesis Elias Bonnici, 2023
- Highly Available Blockchain Nodes With N-Version Design, IEEE Transactions on Dependable and Secure Computing, 2024
- BUMP: A Benchmark of Reproducible Breaking Dependency Updates, Proceedings of IEEE SANER, 2024
- Mitigating CI/CD threats through an extended access control model, Master's thesis Arvid Siberov, 2024
- Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis. Proceedings of WWW, 2024.
- GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes. Usenix Security 2024.
- Java-Class-Hijack: Software Supply Chain Attack for Java based on Maven Dependency Resolution and Java Classloading. arXiv 2024.
- SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java, arXiv 2024.
- Breaking-Good: Explaining Breaking Dependency Updates with Build Analysis, Proceedings of IEEE SCAM, 2024
- GoSurf: Identifying Software Supply Chain Attack Vectors in Go, Proceedings of ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED'24)
- Measuring the Vulnerability Lifecycle in the Software Supply Chain via SBOM Scans, Master's thesis Felix Qvarfordt, 2024
- The Embedding and Retrieval of Software Supply Chain Information in Java Applications, Master's thesis Daniel Williams, 2024
- From Blueprint to Reality: Evaluating the Feasibility of Air-gapped Maven Builds, Master's thesis Oliver Schwalbe Lehtihet, 2024
- Geth Rebuild: Strengthening Ethereum Client Integrity through Reproducible Builds, Master's thesis Vivi Andersson, 2024
- Investigation of the Software Supply Chain of JavaScript Cryptocurrency Wallets, Master's thesis Raphina Yi Liu, 2024
- Automatic Program Repair For Breaking Dependency Updates With Large Language Models, Master's thesis Federico Bonno, 2024
- Dirty-Waters: Detecting Software Supply Chain Smells, arXiv 2024.
- Code-Reuse Attacks in Managed Programming Languages and Runtimes, PhD Thesis Mikhail Shcherbakov, 2024
Posts:
- CHAINS contributions to open-source
- Dependency Resolution in Different Ecosystems
- The CHAINS software supply chain recommendations
- An overview of Reproducible Builds Summit 2023
- Software supply chain art
- Software supply chain attacks on crypto infrastructure
- NIX and the supply chain, debrief of NixCon 2022
- SBOMs for your GitHub Releases
- Principal Investigators: Musard Balliu, Benoit Baudry, Mathias Ekstedt, Martin Monperrus
- PhD students: Sofia Bobadilla, Eric Cornelissen, Javier Ron, Aman Sharma, Mikhail Shcherbakov, Yuxin Liu, Frank Reyes, Yekatierina Churakova, Carmine Cesarano (visiting), Yogya Gamage, Vivi Andersson
- Research engineers & assistants: Raphina Liu, Elias Lundell, Monica Jin, Diogo Torres Correia, Tom Sorger
- Master's students: Christofer Vikström, Leonard Husmann
Chains alumni: Arvid Siberov, Linus Östlund, Gabriel Skoglund, César Soto-Valero, Martin Wittlinger, Felix Qvarfordt, Daniel Williams, Oliver Schwalbe Lehtihet, Federico Bono
- May 23 2024: Chains talk at Dataföreningen
- April 26 2024: 3rd KTH Workshop on the Software Supply Chain
- Nov 26 2023: The Chains SBOM orchestra at SCORED, Chains Team, SCORED 2023, Copenhagen
- October 2023: A Runtime Integrity Tool for Java Dependencies (Aman Sharma et al.). Poster at SecDev 2023
- August 18 2023: The Software Supply Chain and its Security Implications. Benoit Baudry at CTF Midnight sun
- June 5 2023: Keynote "The Software Supply Chain". Benoit Baudry at the French Conference for Software Research. Speaker: Benoit Baudry
- May 25 2023: The Security Implications of the Software Supply Chain. Keynote at the CDIS Spring Conference. Speaker: Benoit Baudry
- Apr 21 2023: 2nd Workshop on the Software Supply Chain @ KTH. Keynote Speakers: Christian Collberg, Stefano Zacchiroli
- Apr 18 2023: Highly Available Blockchain Nodes With N-Version Design. Speaker: Javier Ron
- Mar 31 2023: Verifiable source-only bootstrap from scratch. Speaker: an
- Mar 08 2023: SBOM for Alpine Linux. Speaker: Hans Thorsen Lamm.
- Jan 19 2023: Talk: The software supply chain of crypto Decentralization meetup Stockholm, Speaker: Martin Monperrus
- Dec 08 2022: Software bloat in PyPI. Speaker: Georgios Drosos (Athens University of Economics and Business)
- Nov 15 2022: Building Robust Software Supply Chains at STEW'22. Speaker: Benoit Baudry
- Sep 30 2022: 1st Workshop on the Software Supply Chain @ KTH
- Sep 20 2022: Open-source security analysis @SAP. Speakers: Henrik Plate (SAP), Serena Elisa Ponta (SAP)
- Jun 14 2022: Building Robust Software Supply Chains at XP'22. Speaker: Benoit Baudry
- June 12 2024: Framtidens Forskning (In Swedish)
- June 17 2022: Framtidens Forskning (In Swedish)