Preserving Privacy in Software Composition Analysis: A Study of Technical Solutions and Enhancements

TL;DR

This paper investigates privacy-preserving techniques for software composition analysis (SCA), highlighting the potential of multi-party computation (MPC) and proposing optimizations to reduce its high computational overhead.

Contribution

It provides a comprehensive privacy requirements analysis for SCA, explores various technical solutions, and optimizes MPC-based SCA to significantly reduce overhead while maintaining privacy and accuracy.

Findings

MPC offers the strongest privacy guarantee for SCA.

Optimizations reduce MPC overhead from 184x to 8.5%.

Privacy-preserving SCA enables secure analysis without exposing sensitive code.

Abstract

Software composition analysis (SCA) denotes the process of identifying open-source software components in an input software application. SCA has been extensively developed and adopted by academia and industry. However, we notice that the modern SCA techniques in industry scenarios still need to be improved due to privacy concerns. Overall, SCA requires the users to upload their applications' source code to a remote SCA server, which then inspects the applications and reports the component usage to users. This process is privacy-sensitive since the applications may contain sensitive information, such as proprietary source code, algorithms, trade secrets, and user data. Privacy concerns have prevented the SCA technology from being used in real-world scenarios. Therefore, academia and the industry demand privacy-preserving SCA solutions. For the first time, we analyze the privacy requirements of SCA and provide a landscape depicting possible technical solutions with varying privacy gains and overheads. In particular, given that de facto SCA frameworks are primarily driven by code similarity-based techniques, we explore combining several privacy-preserving protocols to encapsulate the similarity-based SCA framework. Among all viable solutions, we find that multi-party computation (MPC) offers the strongest privacy guarantee and plausible accuracy; it, however, incurs high overhead (184 times). We optimize the MPC-based SCA framework by reducing the amount of crypto protocol transactions using program analysis techniques. The evaluation results show that our proposed optimizations can reduce the MPC-based SCA overhead to only 8.5% without sacrificing SCA's privacy guarantee or accuracy.