GoLeash: Mitigating Golang Software Supply Chain Attacks with Runtime Policy Enforcement
Carmine Cesarano, Martin Monperrus, Roberto Natella
TL;DR
GoLeash tackles software supply chain attacks targeting Go dependencies by enforcing runtime least-privilege at the per-package level. It uses eBPF to trace system calls, attributes them to Go packages, and maps them to a fine-grained capability taxonomy, enabling analysis-then-enforcement with per-package policies. The evaluation on five real Go projects shows 98% detection of malicious variants and up to 9.34% runtime overhead, with robust performance under obfuscation. The work provides a practical runtime defense for the Go ecosystem and suggests that per-package monitoring can complement static analysis and coarse sandboxing.
Abstract
Modern software supply chain attacks consist of introducing new, malicious capabilities into trusted third-party software components, in order to propagate to a victim through a package dependency chain. These attacks are especially concerning for the Go language ecosystem, which is extensively used in critical cloud infrastructures. We present GoLeash, a novel system that applies the principle of least privilege at the package-level granularity, by enforcing distinct security policies for each package in the supply chain. This finer granularity enables GoLeash to detect malicious packages more precisely than traditional sandboxing that handles security policies at process- or container-level. Moreover, GoLeash remains effective under obfuscation, can overcome the limitations of static analysis, and incurs acceptable runtime overhead.
