Preserving Privacy in Software Composition Analysis: A Study of Technical Solutions and Enhancements
Huaijin Wang, Zhibo Liu, Yanbo Dai, Shuai Wang, Qiyi Tang, Sen Nie, Shi Wu
TL;DR
This work tackles the privacy challenges of software composition analysis (SCA) by analyzing privacy requirements and surveying landscape options. It develops two privacy-preserving frameworks on Centris: a similarity-test approach using SBB and a secure MPC-based approach using embedding models, demonstrating that MPC offers stronger privacy at the cost of higher overhead. To bridge practicality and privacy, the authors propose SafeSCA, a set of optimizations (binary embeddings, commit-based signature generation, and three client-side filters) that dramatically reduce encrypted computation and overall overhead while preserving accuracy. The result is a practical privacy-preserving SCA pipeline that reduces MPC overhead to a small fraction of total time and enables secure OSS dependency analysis in real-world scenarios.
Abstract
Software composition analysis (SCA) denotes the process of identifying open-source software components in an input software application. SCA has been extensively developed and adopted by academia and industry. However, we notice that the modern SCA techniques in industry scenarios still need to be improved due to privacy concerns. Overall, SCA requires the users to upload their applications' source code to a remote SCA server, which then inspects the applications and reports the component usage to users. This process is privacy-sensitive since the applications may contain sensitive information, such as proprietary source code, algorithms, trade secrets, and user data. Privacy concerns have prevented the SCA technology from being used in real-world scenarios. Therefore, academia and the industry demand privacy-preserving SCA solutions. For the first time, we analyze the privacy requirements of SCA and provide a landscape depicting possible technical solutions with varying privacy gains and overheads. In particular, given that de facto SCA frameworks are primarily driven by code similarity-based techniques, we explore combining several privacy-preserving protocols to encapsulate the similarity-based SCA framework. Among all viable solutions, we find that multi-party computation (MPC) offers the strongest privacy guarantee and plausible accuracy; it, however, incurs high overhead (184 times). We optimize the MPC-based SCA framework by reducing the amount of crypto protocol transactions using program analysis techniques. The evaluation results show that our proposed optimizations can reduce the MPC-based SCA overhead to only 8.5% without sacrificing SCA's privacy guarantee or accuracy.