Skip to content

Commit 159e445

Browse files
monperrusmonperrus
authored
Merge pull request #71 from chains-project/new-master-thesis-topics
Two master thesis topics
2 parents 7fe58f6 + 7337cc8 commit 159e445

File tree

1 file changed

+33
-0
lines changed

1 file changed

+33
-0
lines changed

master-thesis.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,39 @@ title: Open Master Thesis Topics in Project Chains
66

77
Project Chains hosts master's students for their theses, here are available topics. See [main page](/) for completed theses.
88

9+
### How prevalent is Maven Class Hijacking?
10+
Contact: Aman Sharma, Frank Reyes Garçia
11+
12+
Maven Class Hijacking [1] is a supply chain attack where a legitimiate Java class deep in the dependency tree can act malicious by shadowing a legitimate Java class that one declares directly.
13+
We want to explore how prevalent the condition "infection dependency precedes the gadget dependency" is.
14+
In this thesis, we will construct a dataset of Maven projects to answer the above question.
15+
The two criteria of the dataset can be 1) duplication of fully qualified names of class across two different dependencies.
16+
2) dependencies that could become infectious by analyzing social engineering proxies such as no commits in the past 10 years.
17+
In the paper [1], we also recommend a mitigation for this attack.
18+
We would like to know how prevalent this mitigation is and in what cases it can break the build leading to a false-positive.
19+
20+
[1] [Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order](https://arxiv.org/abs/2407.18760)
21+
22+
Related Work:
23+
24+
[2] [Will Dependency Conflicts Affect My Program's Semantics?](https://ieeexplore.ieee.org/document/9350237)
25+
26+
[3] [DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers](http://arxiv.org/abs/2402.18401)
27+
28+
29+
30+
### Ahead of Time Compilation Cache Analysis
31+
Contact: Aman Sharma
32+
33+
[JEP 483](https://openjdk.org/jeps/483) introduced a performance optimization technique to improve startup time.
34+
It allowed creating an "AOT" cache which stores the compiled versions of commonly loaded classfiles.
35+
In this thesis, we will explore the commonly loaded classfile by implementing an AOT Cache reader.
36+
Next, we can analyze how are synthetically generated classfiles handled.
37+
Another question to investigate is if this cache can be repurposed as an allowlist of classes similar to the concept of BOMI in SBOM.exe [1].
38+
39+
[1] [SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java](https://arxiv.org/abs/2407.00246)
40+
41+
942
<h3 >Trust Assumptions and Threats in Build Attestation System</h3>
1043
Contact: Larissa Schmid
1144
<p>Description:

0 commit comments

Comments
 (0)