CHAINS research project at KTH Royal Institute of Technology

 .d8888b.  888    888        d8888 8888888 888b    888  .d8888b.  
d88P  Y88b 888    888       d88888   888   8888b   888 d88P  Y88b 
888    888 888    888      d88P888   888   88888b  888 Y88b.      
888        8888888888     d88P 888   888   888Y88b 888  "Y888b.   
888        888    888    d88P  888   888   888 Y88b888     "Y88b. 
888    888 888    888   d88P   888   888   888  Y88888       "888 
Y88b  d88P 888    888  d8888888888   888   888   Y8888 Y88b  d88P 
 "Y8888P"  888    888 d88P     888 8888888 888    Y888  "Y8888P"  

CHAINS is a research project at KTH Royal Institute of Technology, it is about hardening the software supply chain, incl. dependency engineering as well as reproducible, executable and verifiable builds and SBOMs. We primarily look at Maven, NPM, and the software supply chain of crypto. The project is funded by the Swedish Foundation for Strategic research (SSF).

To get notified about project news, subscribe to the Chains mailing list.

    <dependency>
      <groupId>com.martiansoftware</groupId>
      <artifactId>jsap</artifactId>
      <version>2.1</version>
    </dependency>
    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-api</artifactId>
      <version>1.7.36</version>
    </dependency>
    <dependency>
      <groupId>commons-io</groupId>
      <artifactId>commons-io</artifactId>
      <version>2.11.0</version>
    </dependency>

Papers & Theses

(reverse chronological order, newest first)

2025
- Implementing SBOM Attestations in an Enterprise Context, Master’s thesis Christofer Vikström, 2025
- Software Bills of Materials in Maven Central, Proceedings of MSR 2025.
- On-Chain Analysis of Smart Contract Dependency Risks on Ethereum, Technical report 2503.19548, arXiv, 2025.
- Vexed by VEX tools: Consistency evaluation of container vulnerability scanners, Technical report 2503.14388, arXiv, 2025.
2024
- Code-Reuse Attacks in Managed Programming Languages and Runtimes, PhD Thesis Mikhail Shcherbakov, 2024
- Dirty-Waters: Detecting Software Supply Chain Smells, arXiv 2024.
- Automatic Program Repair For Breaking Dependency Updates With Large Language Models, Master’s thesis Federico Bonno, 2024
- Investigation of the Software Supply Chain of JavaScript Cryptocurrency Wallets, Master’s thesis Raphina Yi Liu, 2024
- Geth Rebuild: Strengthening Ethereum Client Integrity through Reproducible Builds, Master’s thesis Vivi Andersson, 2024
- From Blueprint to Reality: Evaluating the Feasibility of Air-gapped Maven Builds, Master’s thesis Oliver Schwalbe Lehtihet, 2024
- The Embedding and Retrieval of Software Supply Chain Information in Java Applications, Master’s thesis Daniel Williams, 2024
- Measuring the Vulnerability Lifecycle in the Software Supply Chain via SBOM Scans, Master’s thesis Felix Qvarfordt, 2024
- GoSurf: Identifying Software Supply Chain Attack Vectors in Go, Proceedings of ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED’24)
- Breaking-Good: Explaining Breaking Dependency Updates with Build Analysis, Proceedings of IEEE SCAM, 2024
- SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java, arXiv 2024.
- Java-Class-Hijack: Software Supply Chain Attack for Java based on Maven Dependency Resolution and Java Classloading. arXiv 2024.
- GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes. Usenix Security 2024.
- Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis. Proceedings of WWW, 2024.
- Mitigating CI/CD threats through an extended access control model, Master’s thesis Arvid Siberov, 2024
- BUMP: A Benchmark of Reproducible Breaking Dependency Updates, Proceedings of IEEE SANER, 2024
- Highly Available Blockchain Nodes With N-Version Design, IEEE Transactions on Dependable and Secure Computing, 2024
2023
- GitBark: A Rule-Based Framework for Maintaining Integrity in Source Code Repositories, Master’s thesis Elias Bonnici, 2023
- Challenges of Producing Software Bill Of Materials for Java, IEEE Security & Privacy,
- Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js, Usenix Security 2023
- Diverse Double-Compiling to Harden Cryptocurrency Software, Master’s thesis Niklas Rosencrantz, 2023
2022
- The Multibillion Dollar Software Supply Chain of Ethereum, IEEE Computer, 2022

Repositories

See https://github.com/chains-project/

Posts

Team

Principal Investigators: Musard Balliu, Benoit Baudry, Mathias Ekstedt, Martin Monperrus
Post-doctoral researchers: Deepika Tiwari, Mohammad M. Ahmadpanah
PhD students: Sofia Bobadilla, Eric Cornelissen, Javier Ron, Aman Sharma, Yuxin Liu, Frank Reyes, Yekatierina Churakova, Carmine Cesarano (visiting), Yogya Gamage, Vivi Andersson, Serena Cofano (visiting)
Research engineers & assistants: Raphina Liu, Elias Lundell, Monica Jin, Diogo Torres Correia
Master’s students: Leonard Husmann, Tom Sorger, Ludvig Christensen, Christian Stjernberg

Chains alumni: Arvid Siberov, Linus Östlund, Gabriel Skoglund, César Soto-Valero, Martin Wittlinger, Felix Qvarfordt, Daniel Williams, Oliver Schwalbe Lehtihet, Federico Bono, Elias Bonnici, Christofer Vikström, Mikhail Shcherbakov

Events & Talks

April 25 2025: 4th KTH Workshop on the Software Supply Chain
April 27 2025: Talk: “Software supply chain attacks and defenses for Web3”, Martin Monperrus, University of Zurich
Jan 30 2025 Consistent Hardening and Analysis of Software Supply Chains, Talk at Umeå University, Martin Monperrus
Jan 8 2025, OSS Remediation Ops: From Project-Centric Strategies to Ecosystem-wide Analysis, Lyuye Zhang, Nanyang Technological University, Singapore
Oct 18 2024 GoSurf: Identifying Software Supply Chain Attack Vectors in Go, Talk at SCORED, Carmine Cesarano and Vivi Andersson
May 23 2024: Chains talk at Dataföreningen
April 26 2024: 3rd KTH Workshop on the Software Supply Chain
Nov 26 2023: The Chains SBOM orchestra at SCORED, Chains Team, SCORED 2023, Copenhagen
October 2023: A Runtime Integrity Tool for Java Dependencies (Aman Sharma et al.). Poster at SecDev 2023
August 18 2023: The Software Supply Chain and its Security Implications. Benoit Baudry at CTF Midnight sun
June 5 2023: Keynote “The Software Supply Chain”. Benoit Baudry at the French Conference for Software Research. Speaker: Benoit Baudry
May 25 2023: The Security Implications of the Software Supply Chain. Keynote at the CDIS Spring Conference. Speaker: Benoit Baudry
Apr 21 2023: 2nd Workshop on the Software Supply Chain @ KTH. Keynote Speakers: Christian Collberg, Stefano Zacchiroli
Apr 18 2023: Highly Available Blockchain Nodes With N-Version Design. Speaker: Javier Ron
Mar 31 2023: Verifiable source-only bootstrap from scratch. Speaker: an
Mar 08 2023: SBOM for Alpine Linux. Speaker: Hans Thorsen Lamm.
Jan 19 2023: Talk: The software supply chain of crypto Decentralization meetup Stockholm, Speaker: Martin Monperrus
Dec 08 2022: Software bloat in PyPI. Speaker: Georgios Drosos (Athens University of Economics and Business)
Nov 15 2022: Building Robust Software Supply Chains at STEW’22. Speaker: Benoit Baudry
Sep 30 2022: 1st Workshop on the Software Supply Chain @ KTH
Sep 20 2022: Open-source security analysis @SAP. Speakers: Henrik Plate (SAP), Serena Elisa Ponta (SAP)
Jun 14 2022: Building Robust Software Supply Chains at XP’22. Speaker: Benoit Baudry

Press

Bygger mer robusta programvarukedjorn , in Framtidens Forskning (June 12 2024, In Swedish)
Försörjningskedjan för programvaror avgörande för säkerheten, in Framtidens Forskning (June 17 2022, In Swedish)

Master / Internship topics

This site is open source. Improve this page.