Detecting Suspicious Package Updates (ICSE 2019 - New Ideas and Emerging Results) - International Conference on Software Engineering 2019 in Montreal, Canada

Who

Kalil Garrett, Gabriel Ferreira, Limin Jia, Joshua Sunshine, Christian Kästner

Track

ICSE 2019 New Ideas and Emerging Results

Time Zone

The program is currently displayed in (GMT-04:00) Eastern Time (US & Canada).

Use conference time zone: (GMT-04:00) Eastern Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 29 May 2019 14:40 - 14:50 at Duluth - Security 2 Chair(s): Arie van Deursen

Abstract

With an increased level of automation provided bypackage managers, which sometimes allow updates to be installedautomatically, malicious package updates are becoming a realthreat in software ecosystems. To address this issue, we proposean approach based on anomaly detection, to identify suspiciousupdates based on security-relevant features that attackers coulduse in an attack. We evaluate our approach in the contextof Node.js/npm ecosystem, to show its feasibility in terms ofreduced review effort and the correct identification of a confirmedmalicious update attack. Although we do not expect it to bea complete solution in isolation, we believe it is an importantsecurity building block for software ecosystems.

Link to Preprint

http://www.cs.cmu.edu/~gferreir/pre-prints/icse2019-detecting-suspicious-package-updates.pdf

Kalil Garrett

Georgia State University

Gabriel Ferreira

Carnegie Mellon University

Limin Jia

Carnegie Mellon University

United States

Joshua Sunshine

Carnegie Mellon University

Christian Kästner

Carnegie Mellon University

United States

Time Zone

The program is currently displayed in (GMT-04:00) Eastern Time (US & Canada).

Use conference time zone: (GMT-04:00) Eastern Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Wed 29 May
Displayed time zone: Eastern Time (US & Canada) change

14:00 - 15:30	Security 2Demonstrations / Technical Track / Papers / Journal-First Papers / New Ideas and Emerging Results at Duluth Chair(s): Arie van Deursen Delft University of Technology

14:00 20m Talk		The Seven Sins: Security Smells in Infrastructure as Code ScriptsTechnical TrackIndustry Program Technical Track Akond Rahman North Carolina State University, Chris Parnin NCSU, Laurie Williams North Carolina State University Pre-print
14:20 20m Talk		DifFuzz: Differential Fuzzing for Side-Channel AnalysisTechnical Track Technical Track Shirin Nilizadeh University of Texas at Arlington, Yannic Noller Humboldt-Universität zu Berlin, Corina S. Pasareanu Carnegie Mellon University Silicon Valley, NASA Ames Research Center Pre-print
14:40 10m Talk		Detecting Suspicious Package UpdatesIndustry ProgramNIER New Ideas and Emerging Results Kalil Garrett Georgia State University, Gabriel Ferreira Carnegie Mellon University, Limin Jia Carnegie Mellon University, Joshua Sunshine Carnegie Mellon University, Christian Kästner Carnegie Mellon University Pre-print
14:50 20m Talk		EASYFLOW: Keep Ethereum Away From OverflowDemos Demonstrations Jianbo Gao Peking University, Han Liu Tsinghua University, Chao Liu , Qingshan Li Peking University, Zhi Guan Peking University, Zhong Chen Pre-print Media Attached
15:10 10m Talk		Automatic feature learning for predicting vulnerable software componentsIndustry ProgramJournal-First Journal-First Papers Hoa Khanh Dam University of Wollongong, Truyen Tran , Trang Pham Deakin University, Shien Wee Ng University of Wollongong, John Grundy Monash University, Aditya Ghose Link to publication DOI Pre-print
15:20 10m Talk		Discussion Period Papers