GGrantIndex
← Search

SaTC: CORE: Small: Trustworthy Dependency Management

$518,570FY2017CSENSF

Carnegie Mellon University, Pittsburgh PA

Investigators

Abstract

Software development increasingly relies on reusing platforms, libraries, and frameworks developed independently by third parties with little coordination, which provides significant value to participants through reuse. A security threat that has received relatively little attention is attacks through malicious package updates, which are particularly threatening in platforms with many frequently updating package dependencies, such as Node.js. The burden of reviewing all updates of all dependencies for security issues is too high for most developers. In this setting, automated solutions will reduce the attack surface, guide manual effort, and as a result, allow developers to trust packages and their updates with low enough effort to make it practical. This research will raise awareness of the problem and develop tools to significantly reduce risks and costs associated with dependency management. It will develop both heuristic and sound approaches to increase trust in package updates. It will focus on Javascript packages on the widely used package manager npm. Heuristic approaches will guide the attention of human reviewers toward suspicious updates. A permission model will establish trust of many, especially small and simple, packages. The work will significantly reduce the attack surface and restrict exploits through malicious package updates. The increased trust in package managers and corresponding lower risks and costs will  benefit not only professional developers, but also scientists, hobbyists, and end-user programmers that often have less experience with computer security and can be an easy target for attackers.

View original record on NSF Award Search →