An LLM-based Quantitative Framework for Evaluating High-Stealthy Backdoor Risks in OSS Supply Chains

TL;DR

This paper introduces a novel LLM-based framework for assessing high-stealthy backdoor risks in open-source software supply chains, addressing limitations of static analysis and improving security evaluations.

Contribution

It proposes a fine-grained, semantic evaluation framework using LLMs to detect stealthy backdoors and assess repository trustworthiness in OSS supply chains.

Findings

The framework effectively identifies backdoor risks in Debian packages.

Current OSS supply chains are vulnerable to various security threats.

LLMs enhance semantic analysis of code repositories for security assessment.

Abstract

In modern software development workflows, the open-source software supply chain contributes significantly to efficient and convenient engineering practices. With increasing system complexity, using open-source software as third-party dependencies has become a common practice. However, the lack of maintenance for underlying dependencies and insufficient community auditing create challenges in ensuring source code security and the legitimacy of repository maintainers, especially under high-stealthy backdoor attacks exemplified by the XZ-Util incident. To address these problems, we propose a fine-grained project evaluation framework for backdoor risk assessment in open-source software. The framework models stealthy backdoor attacks from the viewpoint of the attacker and defines targeted metrics for each attack stage. In addition, to overcome the limitations of static analysis in assessing the reliability of repository maintenance activities such as irregular committer privilege escalation and limited participation in reviews, the framework uses large language models (LLMs) to conduct semantic evaluation of code repositories without relying on manually crafted patterns. The framework is evaluated on sixty six high-priority packages in the Debian ecosystem. The experimental results indicate that the current open-source software supply chain is exposed to various security risks.