The CHAINS research project on software supply chains @ KTH

 .d8888b.  888    888        d8888 8888888 888b    888  .d8888b.  
d88P  Y88b 888    888       d88888   888   8888b   888 d88P  Y88b 
888    888 888    888      d88P888   888   88888b  888 Y88b.      
888        8888888888     d88P 888   888   888Y88b 888  "Y888b.   
888        888    888    d88P  888   888   888 Y88b888     "Y88b. 
888    888 888    888   d88P   888   888   888  Y88888       "888 
Y88b  d88P 888    888  d8888888888   888   888   Y8888 Y88b  d88P 
 "Y8888P"  888    888 d88P     888 8888888 888    Y888  "Y8888P"  

CHAINS is a research project at KTH Royal Institute of Technology, it is about hardening the software supply chain, incl. dependency engineering as well as reproducible, executable and verifiable builds and SBOMs. We primarily look at Maven, NPM, and the software supply chain of crypto. The project is funded by the Swedish Foundation for Strategic research (SSF). We are recruiting software engineers, postdocs, and interns, get in touch!

    <dependency>
      <groupId>com.martiansoftware</groupId>
      <artifactId>jsap</artifactId>
      <version>2.1</version>
    </dependency>
    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-api</artifactId>
      <version>1.7.36</version>
    </dependency>
    <dependency>
      <groupId>commons-io</groupId>
      <artifactId>commons-io</artifactId>
      <version>2.11.0</version>
    </dependency>

Papers & Theses

(chronological order)

• The Multibillion Dollar Software Supply Chain of Ethereum, IEEE Computer, 2022
• Diverse Double-Compiling to Harden Cryptocurrency Software, Master’s thesis Niklas Rosencrantz, 2023
• Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js, Usenix Security 2023
• Challenges of Producing Software Bill Of Materials for Java, IEEE Security & Privacy, 2023
• GitBark: A Rule-Based Framework for Maintaining Integrity in Source Code Repositories, Master’s thesis Elias Bonnici, 2023
• Highly Available Blockchain Nodes With N-Version Design, IEEE Transactions on Dependable and Secure Computing, 2024
• BUMP: A Benchmark of Reproducible Breaking Dependency Updates, Proceedings of IEEE SANER, 2024
• Mitigating CI/CD threats through an extended access control model, Master’s thesis Arvid Siberov, 2024
• Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis. Proceedings of WWW, 2024.
• GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes. Usenix Security 2024.
• Java-Class-Hijack: Software Supply Chain Attack for Java based on Maven Dependency Resolution and Java Classloading. arXiv 2024.
• SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java, arXiv 2024.
• Breaking-Good: Explaining Breaking Dependency Updates with Build Analysis, Proceedings of IEEE SCAM, 2024
• GoSurf: Identifying Software Supply Chain Attack Vectors in Go, Proceedings of ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED’24)
• Measuring the Vulnerability Lifecycle in the Software Supply Chain via SBOM Scans, Master’s thesis Felix Qvarfordt, 2024
• The Embedding and Retrieval of Software Supply Chain Information in Java Applications, Master’s thesis Daniel Williams, 2024
• From Blueprint to Reality: Evaluating the Feasibility of Air-gapped Maven Builds, Master’s thesis Oliver Schwalbe Lehtihet, 2024
• Geth Rebuild: Strengthening Ethereum Client Integrity through Reproducible Builds, Master’s thesis Vivi Andersson, 2024
• Investigation of the Software Supply Chain of JavaScript Cryptocurrency Wallets, Master’s thesis Raphina Yi Liu, 2024
• Automatic Program Repair For Breaking Dependency Updates With Large Language Models, Master’s thesis Federico Bonno, 2024
• Dirty-Waters: Detecting Software Supply Chain Smells, arXiv 2024.
• Code-Reuse Attacks in Managed Programming Languages and Runtimes, PhD Thesis Mikhail Shcherbakov, 2024

Posts:

• CHAINS contributions to open-source
• Dependency Resolution in Different Ecosystems
• The CHAINS software supply chain recommendations
• An overview of Reproducible Builds Summit 2023
• Software supply chain art
• Software supply chain attacks on crypto infrastructure
• NIX and the supply chain, debrief of NixCon 2022
• SBOMs for your GitHub Releases

Team

• Principal Investigators: Musard Balliu, Benoit Baudry, Mathias Ekstedt, Martin Monperrus
• PhD students: Sofia Bobadilla, Eric Cornelissen, Javier Ron, Aman Sharma, Mikhail Shcherbakov, Yuxin Liu, Frank Reyes, Yekatierina Churakova, Carmine Cesarano (visiting), Yogya Gamage, Vivi Andersson, Serena Cofano (visiting)
• Research engineers & assistants: Raphina Liu, Elias Lundell, Monica Jin, Diogo Torres Correia, Tom Sorger
• Master’s students: Christofer Vikström, Leonard Husmann

Chains alumni: Arvid Siberov, Linus Östlund, Gabriel Skoglund, César Soto-Valero, Martin Wittlinger, Felix Qvarfordt, Daniel Williams, Oliver Schwalbe Lehtihet, Federico Bono

Events & Talks

• May 23 2024: Chains talk at Dataföreningen
• April 26 2024: 3rd KTH Workshop on the Software Supply Chain
• Nov 26 2023: The Chains SBOM orchestra at SCORED, Chains Team, SCORED 2023, Copenhagen
• October 2023: A Runtime Integrity Tool for Java Dependencies (Aman Sharma et al.). Poster at SecDev 2023
• August 18 2023: The Software Supply Chain and its Security Implications. Benoit Baudry at CTF Midnight sun
• June 5 2023: Keynote “The Software Supply Chain”. Benoit Baudry at the French Conference for Software Research. Speaker: Benoit Baudry
• May 25 2023: The Security Implications of the Software Supply Chain. Keynote at the CDIS Spring Conference. Speaker: Benoit Baudry
• Apr 21 2023: 2nd Workshop on the Software Supply Chain @ KTH. Keynote Speakers: Christian Collberg, Stefano Zacchiroli
• Apr 18 2023: Highly Available Blockchain Nodes With N-Version Design. Speaker: Javier Ron
• Mar 31 2023: Verifiable source-only bootstrap from scratch. Speaker: an
• Mar 08 2023: SBOM for Alpine Linux. Speaker: Hans Thorsen Lamm.
• Jan 19 2023: Talk: The software supply chain of crypto Decentralization meetup Stockholm, Speaker: Martin Monperrus
• Dec 08 2022: Software bloat in PyPI. Speaker: Georgios Drosos (Athens University of Economics and Business)
• Nov 15 2022: Building Robust Software Supply Chains at STEW’22. Speaker: Benoit Baudry
• Sep 30 2022: 1st Workshop on the Software Supply Chain @ KTH
• Sep 20 2022: Open-source security analysis @SAP. Speakers: Henrik Plate (SAP), Serena Elisa Ponta (SAP)
• Jun 14 2022: Building Robust Software Supply Chains at XP’22. Speaker: Benoit Baudry

Press

• June 12 2024: Framtidens Forskning (In Swedish)
• June 17 2022: Framtidens Forskning (In Swedish)

Repositories

See https://github.com/chains-project/

Master / Internship topics

• CHAINS master’s thesis topics
• https://www.kth.se/profile/musard/page/master-thesis-in-security-and-privacy?l=en
• https://softwarediversity.eu/topics/
• https://www.monperrus.net/martin/topics.

This site is open source. Improve this page.