Open-Source Software Supply Chain Attacks
Open-Source Software Supply Chain attacks are characterized by the injection of malicious code into the dependencies of software, in order to compromise the suppliers of a software component through Open-Source components.
The steep increase of such attacks has lead us to deeply inspect this problem, so to understand and model the attackers strategies.
The goal of our study is to enstablish a common terminology for the Open-Source Software Supply Chain attacks domain, as well as a unique source of information for both references and categorized examples.
Thus, our modelization aims to document and understand the common tactics, techinques and procedures (TTPs) pursued by attackers in the Open-Source Software Supply Chain domain.
The scenario of our interests consists in the typical Software Development LifeCycle (SDLC)
An attack tree consist of modeling an attack scenario with a tree representation.
At the root of the attack tree is depicted the attacker’s goal.
The children of a node in the tree is a specialisation of the parent-node’s goal into alternative techniques to achieve it.
OSS Supply Chain Attacks Tree
In order to describe the common TTPs adopted by the attackers to conduct an Open-Source Software Supply Chain attack, we have leveraged the attack tree expressivity.
At the root you will find the main goal of conducting an Open-Source Software Supply Chain attack. Such attacks may happen at every stage of the Software Development Lifecycle (SDLC). Therefore, the child nodes aim to capture this concept and describe specific tactics to achieve the parent-node’s goal.
The creation of the taxonomy has been guided by real world examples.
Interact with the OSS Supply Chain Attacks Tree
We made our OSS Supply Chain Attacks Tree interactive, so you can decide what further inspect. It is possible to expand the nodes to explore the specific specialisation. If your unsure about the meaning of a node, you can inspect its information to have a clearer view: we have characterized it with a description, impact, references, real-world examples and the possible safeguards mapped to it.
Single-Click on a node to expand it
Double-Click on a node to display its info
OSS Supply Chain Attacks Tree lives in Technicolor
You may notice that some nodes have different colors with respect to the general blue ones. In fact, some attack strategies may occur in the same way, but in different contexts. Hence, we have grouped such recurring patterns using a different color.
Red nodes are related to the Compromission of an User Account
Green nodes are related to the Compromission of a System
Yellow nodes are related to Social Engineering attacks to actually become a Maintainer
Dashed-Stroke Blue nodes
Dashed-Stroke Blue nodes are an actual recursion to the root node.
Ready to Play?
Come and discover the attacker’s mind when performing an Open Source Software Supply Chain attack.Inspect the Tree