2022 SCORED Program
All times are in Pacific Standard Time.
Chairs’ Welcome (8:30 AM)
Keynote Talk (8:35 AM)
Strength, trust, and harmony: the challenges and opportunities of software supply chain security
Trevor Rosen, Package Security Engineering lead (GitHub)
Break (9:30 AM)
Technical Session 1: Resilient-By-Design (9:45 AM)
Session Chair: Asra Ali
Policy Transparency: Authorization Logic Meets General Transparency to Prove Software Supply Chain Integrity
Andrew Ferraiuolo (Google Research), Razieh Behjati (Google Research), Tiziano Santoro (Google Research), Ben Laurie (Google)
SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties
Chinenye Okafor (Purdue University), Taylor R. Schorlemmer (Purdue University), Santiago Torres-Arias (Purdue University), and James C. Davis (Purdue University)
Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis
Kaspar Rosager Ludvigsen (University of Newcastle), Shishir Nagaraja (University of Newcastle), Angela Daly (University of Dundee)
Break (10:45 AM)
Technical Session 2: Risk Assessment (11:00 AM)
Session Chair: Zachary Newman
Risk Explorer for Software Supply Chains (Demo)
Piergiorgio Ladisa (SAP Security Research, Université de Rennes 1), Henrik Plate (SAP Security Research), Matias Martinez (Université Polytechnique Hauts-de-France), Olivier Barais (Université de Rennes 1, INRIA, IRISA), Serena Elisa Ponta (SAP Security Research)
Automatic Security Assessment of GitHub Actions Workflows
Giacomo Benedetti (University of Genoa), Luca Verderame (University of Genoa), Alessio Merlo (University of Genoa)
On the Use of Tests for Software Supply Chain Threats
Joseph Hejderup (Endor Labs Inc. and TU Delft)
Lunch (12:00 PM)
Panel Discussion (1:00 PM)
Session Chair: Santiago Torres Arias
Software Supply Chain Security: Past, Present and Future Perspectives
Panelists: Justin Cappos (New York University), Chinmayi Sharma (Strauss Center at UT Austin), Kathleen Moriarty (Center for Internet Security), Dhinesh Manoharan (Intel)
Break (2:00 PM)
Technical Session 3: Dependency Analysis (2:15 PM)
Session Chair: Nicholas Boucher
Exorcist: Automated Differential Analysis to Detect Compromises in Closed-Source Software Supply Chains
Freddie Barr-Smith (University of Oxford), Tim Blazytko (University of Oxford), Richard Baker (Emproof B.V.), Ivan Martinovic University of Oxford)
Towards the Detection of Malicious Java Packages
Piergiorgio Ladisa (SAP Security Research, Université de Rennes 1), Henrik Plate (SAP Security Research), Matias Martinez (Université Polytechnique Hauts-de-France), Olivier Barais (Université de Rennes 1, INRIA, IRISA), Serena Elisa Ponta (SAP Security Research)
Adapting Static Taint Analyzers to Software Marketplaces: A Leverage Point for Mass Vulnerability Detection?
Daniel Krohmer (Fraunhofer IESE), Kunal Sharma (University of Kaiserslautern), Shi Chen (University of Kaiserslautern)
Break (3:15 PM)
Technical Session 4: Developer Practices (3:30 PM)
Session Chair: TBD
Talking Trojan: Analyzing an Industry-Wide Disclosure
Nicholas Boucher (University of Cambridge), Ross Anderson (Universities of Cambridge and Edinburgh)
Inferring Software Update Practices on Smart Home IoT Devices Through User Agent Analysis
Vijay Prakash (New York University), Sicheng Xie (New York University), Danny Yuxing Huang (New York University)
An Empirical Study of Artifacts and Security Risks in the Pre-trained Model Supply Chain
Wenxin Jiang (Purdue University), Nicholas Synovic (Loyola University Chicago), Rohan Sethi (Loyola University Chicago), Aryan Indarapu (University of Illinois Urbana-Champaign), Matt Hyatt (Loyola University Chicago), Taylor R. Schorlemmer (Purdue University), George K. Thiruvathukal (Loyola University Chicago), and James C. Davis (Purdue University)