SCORED Program

All times are in Pacific Standard Time.

Chairs’ Welcome (8:30 AM)

Keynote Talk (8:35 AM)

Strength, trust, and harmony: the challenges and opportunities of software supply chain security

Trevor Rosen, Package Security Engineering lead (GitHub)

Break (9:30 AM)

Technical Session 1: Resilient-By-Design (9:45 AM)

Session Chair: Asra Ali

Policy Transparency: Authorization Logic Meets General Transparency to Prove Software Supply Chain Integrity

Andrew Ferraiuolo (Google Research), Razieh Behjati (Google Research), Tiziano Santoro (Google Research), Ben Laurie (Google)

SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties

Chinenye Okafor (Purdue University), Taylor R. Schorlemmer (Purdue University), Santiago Torres-Arias (Purdue University), and James C. Davis (Purdue University)

Kaspar Rosager Ludvigsen (University of Newcastle), Shishir Nagaraja (University of Newcastle), Angela Daly (University of Dundee)

Break (10:45 AM)

Technical Session 2: Risk Assessment (11:00 AM)

Session Chair: Zachary Newman

Risk Explorer for Software Supply Chains (Demo)

Piergiorgio Ladisa (SAP Security Research, Université de Rennes 1), Henrik Plate (SAP Security Research), Matias Martinez (Université Polytechnique Hauts-de-France), Olivier Barais (Université de Rennes 1, INRIA, IRISA), Serena Elisa Ponta (SAP Security Research)

Automatic Security Assessment of GitHub Actions Workflows

Giacomo Benedetti (University of Genoa), Luca Verderame (University of Genoa), Alessio Merlo (University of Genoa)

On the Use of Tests for Software Supply Chain Threats

Joseph Hejderup (Endor Labs Inc. and TU Delft)

Lunch (12:00 PM)

Panel Discussion (1:00 PM)

Session Chair: Santiago Torres Arias

Software Supply Chain Security: Past, Present and Future Perspectives

Panelists: Justin Cappos (New York University), Chinmayi Sharma (Strauss Center at UT Austin), Kathleen Moriarty (Center for Internet Security), Dhinesh Manoharan (Intel)

Break (2:00 PM)

Technical Session 3: Dependency Analysis (2:15 PM)

Session Chair: Nicholas Boucher

Exorcist: Automated Differential Analysis to Detect Compromises in Closed-Source Software Supply Chains

Freddie Barr-Smith (University of Oxford), Tim Blazytko (University of Oxford), Richard Baker (Emproof B.V.), Ivan Martinovic University of Oxford)

Towards the Detection of Malicious Java Packages

Piergiorgio Ladisa (SAP Security Research, Université de Rennes 1), Henrik Plate (SAP Security Research), Matias Martinez (Université Polytechnique Hauts-de-France), Olivier Barais (Université de Rennes 1, INRIA, IRISA), Serena Elisa Ponta (SAP Security Research)

Adapting Static Taint Analyzers to Software Marketplaces: A Leverage Point for Mass Vulnerability Detection?

Daniel Krohmer (Fraunhofer IESE), Kunal Sharma (University of Kaiserslautern), Shi Chen (University of Kaiserslautern)

Break (3:15 PM)

Technical Session 4: Developer Practices (3:30 PM)

Session Chair: TBD

Talking Trojan: Analyzing an Industry-Wide Disclosure

Nicholas Boucher (University of Cambridge), Ross Anderson (Universities of Cambridge and Edinburgh)

Inferring Software Update Practices on Smart Home IoT Devices Through User Agent Analysis

Vijay Prakash (New York University), Sicheng Xie (New York University), Danny Yuxing Huang (New York University)

An Empirical Study of Artifacts and Security Risks in the Pre-trained Model Supply Chain

Wenxin Jiang (Purdue University), Nicholas Synovic (Loyola University Chicago), Rohan Sethi (Loyola University Chicago), Aryan Indarapu (University of Illinois Urbana-Champaign), Matt Hyatt (Loyola University Chicago), Taylor R. Schorlemmer (Purdue University), George K. Thiruvathukal (Loyola University Chicago), and James C. Davis (Purdue University)

Closing Remarks (4:30 PM)