Research On Software Supply Chain Contamination Mechanism And Defense Technology

With the rapid development of computer and Internet,software becomes an indispensable part of people's daily life and work.Software is closely related to users.On the meantime,software security is closely related to users'information security.Research on Software security is an important part of information security.Traditionally,attack against software mainly aims at the vulnerabilities of software.In recent year,a new kind of attack against software,called software supply chain contamination,has been uncovered.More and more attack was found related to it.In software supply chain attack,attackers find attack vector in software supply chain.By this,attackers can contaminate the software,resulting users download or use illegal software.Attackers can even use illegal software to conduct more attack,such as stealing users' data and DDoS.In a word,study mechanism and defense technology of software supply chain attack will prompt us to investigate the security of software from the aspect of supply chain,protect the security of software and a lot of software users.Firstly,this paper introduces the background and current situation of studying of software supply chain,pointing out that the security problem of software supply chain need to be solved immediately.Secondly,this paper studies software supply chain contamination mechanism through several aspects,including concept,threat model,classification and key technology.Base on existing research,like concept of software supply chain and cases of software supply chain contamination,this paper comes up with the concept of software supply chain contamination.Then,this paper identifies threat in software supply chain and building threat model of software supply chain.What's more,this paper classifies cases of software supply chain contamination in different aspects.Also,this paper analyzes cases of software supply chain,concludes key technology and pattern,and conducts experiments to prove their usability and universal,which tells the hidden danger of software supply chain.Finally,this paper studies defense technology of software supply chain contamination in two part.In universal part,this paper proposes defense technology for different roles of software supply chain.In targeted part,this paper studies the case of WordPress theme contamination,designs a malicious code detection base on similarity analysis and conducts an experiment to prove its effectiveness and advantage.