Modern software incorporates thousands of third-party components. Bugs or security vulnerabilities in these components can seriously compromise the integrity of incorporating applications. Because of their widespread use, and the difficulty of vetting the enormous number of integrated components for vulnerabilities, they comprise a compelling target for attackers, who purposefully insert vulnerabilities into widely used components with the goal of compromising the integrity of entire software ecosystems.
I will present a series of systems that leverage component boundaries to offer automated solutions to vulnerabilities that appear in the software supply chain: BreakApp implements system-level containment techniques that prevent an attack from escaping its component; Iris leverages language-based protection to offer high performance enforcement of fine-grain security policies; Mir introduces a constrained privilege model and a hybrid analysis to deliver additional automation; and Harp uses active learning to infer and regenerate domain-specific components that are guaranteed to be free of inserted software vulnerabilities. Individually, these systems focus on transparent protection against classes of threats. Combined, they provide a holistic and in-depth transformation-based approach to securing software ecosystems.
Nikos Vasilakis is a Research Scientist at MIT CSAIL. His research encompasses software systems and security, and has been recognized by several best paper, best presentation, and best demo awards. His current focus is on automatically enhancing software systems with new capabilities such as parallelism, distribution, and security against a variety of threat models. Nikos is also a Co-Founder and Chief Technology Officer at RequireSecurity, a startup transitioning his software supply-chain research to industry; and a member of the Technical Steering Committee behind PaSh, a shell-script parallelization project hosted by the Linux Foundation. More info at https://nikos.vasilak.is