PARASITE is an ambitious and holistic research effort to create an evidence-based observatory to characterize, model, and analyze the modern software supply chain, its actors, behaviors, and the rampant and diverse range of security and privacy threats targeting them. PARASITE builds on over 20 years of experience and highly impactful research in program testing, cybersecurity, and cybercrime. It aims to push the boundaries of our understanding of the supply chain and its socio-technical ramifications and implications. Our approach will address the current set of challenges and limitations of existing static and dynamic analysis methods for understanding the supply chain and its inherent risks. Specifically, existing static analysis methods to identify dependencies in compiled and packaged software need to address challenges arising from differing versions of compilation toolchains, target architecture, optimization, and other compile-time configuration which substantially alter the final artifact of software production from its source code. Additionally, we have no methods to attribute and identify vulnerabilities in modern programs, as most analysis methods consider them as monolithic objects rather than multiparty ones.

This project PID2022-143304OB-I00 is funded by: