Open-source software supply chain attacks aim at infecting downstream users by poisoning open-source packages. The common way of consuming such artifacts is through package repositories and the development of vetting strategies to detect such attacks is ongoing research. Despite its popularity, the Java ecosystem is the less explored one in the context of supply chain attacks. In this paper we present indicators of malicious behavior that can be observed statically through the analysis of Java bytecode. Then we evaluate how such indicators and their combinations perform when detecting malicious code injections. We do so by injecting three malicious payloads taken from real-world examples into the Top-10 most popular Java libraries from libraries.io. We found that the analysis of strings in the constant pool and of sensitive APIs in the bytecode instructions aid in the task of detecting malicious Java packages by significantly reducing the information, thus, making also manual triage possible.
翻译:公开源码供应链攻击的目的是通过毒害开放源码软件包来影响下游用户。消费此类文物的常用方法是通过包存库和制定甄别战略来检测此类攻击,这种研究正在进行中。尽管爪哇生态系统受到欢迎,但在供应链攻击方面,其探索度较低。在本文中,我们介绍了通过分析爪哇字码可以静态观察的恶意行为指标。然后我们评估了在发现恶意代码注射时,此类指标及其组合是如何发挥作用的。我们这样做的方法是将三个从真实世界实例中提取的恶意有效载荷注入图书馆最受欢迎的10大爪哇图书馆。io。我们发现,对常数库中的字符串和小代码指令中的敏感动因的分析有助于通过大量减少信息来探测恶意爪哇软件包,从而也有可能人工进行三角。