Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ZTD$_{JAVA}$: Mitigating Software Supply Chain Vulnerabilities via Zero-Trust Dependencies

Paschal C. Amusuo, Kyle A. Robinson, Tanmay Singla, Huiyun Peng, Aravind Machiry, Santiago Torres-Arias, Laurent Simon, James C. Davis

TL;DR

The paper addresses SSC vulnerabilities arising from third-party libraries by applying NIST Zero-Trust Architecture to software Dependency runtimes, introducing Zero-Trust Dependencies (ZTD). It defines a SYS-level design (ZTD_SYS) and a Java-specific prototype (ZTD_JAVA) that instrument, monitor, generate, contextify, and enforce least-privilege policies for dependencies. Through a feasibility study and empirical evaluation on recreated exploits and DaCapo benchmarks, ZTD_JAVA blocks many OS-resource exploits with modest overhead and requires policy specification for only a small subset of dependencies. The findings suggest ZTD effectively reduces risk from vulnerable libraries with low runtime cost, while outlining adoption barriers and future work to extend the approach to other ecosystems. This work operationalizes ZTA in applications, offering actionable guidance for engineers to secure software supply chains in real-world Java deployments.

Abstract

Third-party libraries like Log4j accelerate software application development but introduce substantial risk. Vulnerabilities in these libraries have led to Software Supply Chain (SSC) attacks that compromised resources within the host system. These attacks benefit from current application permissions approaches: thirdparty libraries are implicitly trusted in the application runtime. An application runtime designed with Zero-Trust Architecture (ZTA) principles secure access to resources, continuous monitoring, and least-privilege enforcement could mitigate SSC attacks, as it would give zero implicit trust to these libraries. However, no individual security defense incorporates these principles at a low runtime cost. This paper proposes Zero-Trust Dependencies to mitigate SSC vulnerabilities: we apply the NIST ZTA to software applications. First, we assess the expected effectiveness and configuration cost of Zero-Trust Dependencies using a study of third-party software libraries and their vulnerabilities. Then, we present a system design, ZTD$_{SYS}$, that enables the application of Zero-Trust Dependencies to software applications and a prototype, ZTD$_{JAVA}$, for Java applications. Finally, with evaluations on recreated vulnerabilities and realistic applications, we show that ZTD$_{JAVA}$ can defend against prevalent vulnerability classes, introduces negligible cost, and is easy to configure and use.

ZTD$_{JAVA}$: Mitigating Software Supply Chain Vulnerabilities via Zero-Trust Dependencies

TL;DR

The paper addresses SSC vulnerabilities arising from third-party libraries by applying NIST Zero-Trust Architecture to software Dependency runtimes, introducing Zero-Trust Dependencies (ZTD). It defines a SYS-level design (ZTD_SYS) and a Java-specific prototype (ZTD_JAVA) that instrument, monitor, generate, contextify, and enforce least-privilege policies for dependencies. Through a feasibility study and empirical evaluation on recreated exploits and DaCapo benchmarks, ZTD_JAVA blocks many OS-resource exploits with modest overhead and requires policy specification for only a small subset of dependencies. The findings suggest ZTD effectively reduces risk from vulnerable libraries with low runtime cost, while outlining adoption barriers and future work to extend the approach to other ecosystems. This work operationalizes ZTA in applications, offering actionable guidance for engineers to secure software supply chains in real-world Java deployments.

Abstract

Third-party libraries like Log4j accelerate software application development but introduce substantial risk. Vulnerabilities in these libraries have led to Software Supply Chain (SSC) attacks that compromised resources within the host system. These attacks benefit from current application permissions approaches: thirdparty libraries are implicitly trusted in the application runtime. An application runtime designed with Zero-Trust Architecture (ZTA) principles secure access to resources, continuous monitoring, and least-privilege enforcement could mitigate SSC attacks, as it would give zero implicit trust to these libraries. However, no individual security defense incorporates these principles at a low runtime cost. This paper proposes Zero-Trust Dependencies to mitigate SSC vulnerabilities: we apply the NIST ZTA to software applications. First, we assess the expected effectiveness and configuration cost of Zero-Trust Dependencies using a study of third-party software libraries and their vulnerabilities. Then, we present a system design, ZTD, that enables the application of Zero-Trust Dependencies to software applications and a prototype, ZTD, for Java applications. Finally, with evaluations on recreated vulnerabilities and realistic applications, we show that ZTD can defend against prevalent vulnerability classes, introduces negligible cost, and is easy to configure and use.
Paper Structure (57 sections, 3 figures, 8 tables)

This paper contains 57 sections, 3 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Software Supply Chains (SSC) and Vulnerabilities
  4. Zero-Trust Architecture as a Conceptual Framework
  5. Limitations of Existing Application Security Defenses
  6. Zero-Trust Architecture Feasibility Analysis
  7. Methodology
  8. RQ1
  9. RQ2
  10. Results
  11. RQ1: Will least-priv policies mitigate SSC vulns?
  12. RQ2: How many deps. need explicit least-priv. policies?
  13. Discussion
  14. Zero-Trust Dependencies: Concept and Design
  15. System and Threat Model
  16. ...and 42 more sections

Figures (3)

  • Figure 1: The Zero-Trust Dependencies (ZTD) concept. To mitigate attacks exploiting vulnerable dependencies, a ZTD system provides secure access via runtime authorization, makes authorization decisions using a least-privileges access policy, and facilitates continuous monitoring of unexpected accesses.
  • Figure 2: The ZTD$_{\text{SYS}}$ design has five components. The application transformer instruments the application. The runtime monitor tracks dependencies' access to resources. The policy generator generates the least privilege policies for dependencies. The policy context loads the generated policies. The policy enforcer authorizes access.
  • Figure 3: Microbenchmarking results for the policy authorization operation, varying the number of dependencies in the application and the call stack sizes. As predicted, the execution time is constant with the dependency count and linear to the call stack lengths.