Automatic Diversity in the Software Supply Chain

TL;DR

This paper introduces the Library Substitution Framework, a novel approach to diversify software supply chains by replacing libraries with similar alternatives, thereby reducing the risk of supply chain attacks.

Contribution

It proposes a new framework for library substitution to enhance supply chain security and demonstrates its feasibility through a proof-of-concept implementation for JSON libraries.

Findings

Substituted libraries in 195 out of 368 Java applications without code modification.

Achieved at least 15 alternative libraries for JSON in tested applications.

Demonstrated the potential to diversify supply chains and mitigate attack risks.

Abstract

Despite its obvious benefits, the increased adoption of package managers to automate the reuse of libraries has opened the door to a new class of hazards: supply chain attacks. By injecting malicious code in one library, an attacker may compromise all instances of all applications that depend on the library. To mitigate the impact of supply chain attacks, we propose the concept of Library Substitution Framework. This novel concept leverages one key observation: when an application depends on a library, it is very likely that there exists other libraries that provide similar features. The key objective of Library Substitution Framework is to enable the developers of an application to harness this diversity of libraries in their supply chain. The framework lets them generate a population of application variants, each depending on a different alternative library that provides similar functionalities. To investigate the relevance of this concept, we develop ARGO, a proof-of-concept implementation of this framework that harnesses the diversity of JSON suppliers. We study the feasibility of library substitution and its impact on a set of 368 clients. Our empirical results show that for 195 of the 368 java applications tested, we can substitute the original JSON library used by the client by at least 15 other JSON libraries without modifying the client's code. These results show the capacity of a Library Substitution Framework to diversify the supply chain of the client applications of the libraries it targets.