2024 Workshop Agenda

All times are in Mountain Daylight Time.

Opening Remarks and Awards (9:00 AM)

PC Chairs

Keynote Talk (9:10 AM)

Insane in the AI Supply Chain: Attacks, defenses and open questions

Eoin Wickens, Director of Threat Intelligence, HiddenLayer

Break (10:00-10:15 AM)

Technical Session 1: Building Trust in Software Supply Chains (10:15 AM)

Session Chair: Martin Schwaighofer (Johannes Kepler University Linz)

Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of Materials

Yue Xiao (IBM), Adwait Nadkarni (William & Mary), Xiaojing Liao (Indiana University)

[SiP] Nowhere to Hide: Using Transparency Logs to Secure Your Supply Chain

Hayden Blauzvern (Google)

[SiP] Runtime Verification for Software Supply Chain Security using Confidential Computing

Bobbie Chen (Anjuna Security)

Break (11:15-11:30 AM)

Technical Session 2: Exploring Package Ecosystems (11:30 AM)

Session Chair: Eric O’Donoghue (Montana State University)

BinEq – A Benchmark of Compiled Java Programs to Assess Alternative Builds

Jens Dietrich (Victoria University of Wellington), Tim White (Victoria University of Wellington), Mohammad Mahdi Abdollahpour (University of Waterloo), Elliott Wen (University of Auckland), Behnaz Hassanshahi (Oracle Labs)

What’s in a URL? An Analysis of Hardcoded URLs in npm Packages

Elizabeth Wyss (University of Kansas), Drew Davidson (University of Kansas), Lorenzo De Carli (University of Calgary)

GoSurf: Identifying Software Supply Chain Attack Vectors in Go

Carmine Cesarano (University of Naples Federico II), Vivi Andersson (KTH Royal Institute of Technology), Roberto Natella (University of Naples Federico II), Martin Monperrus (KTH Royal Institute of Technology)

Lunch (12:30-1:40 PM)

Panel Discussion (1:40 PM)

Session Chair: Marcela Melara (Intel Labs)

ML (for) Software Supply Chain Security: Promises, Pitfalls and Opportunities

Panelists: Mihai Maruseac (Google), Sarah Evans (Dell), Hai Phan (NJIT)

Break (2:30-2:45 PM)

Technical Session 3: Enhancing Build Systems (2:45 PM)

Session Chair: Lorenzo De Carli (University of Calgary)

[SiP] Auditing the CI/CD Platform: Reproducible Builds vs. Hardware-Attested Build Environments, Which is Right for You?

Marcela S. Melara (Intel Labs), Chad Kimes (Independent)

Extending Cloud Build Systems to Eliminate Transitive Trust

Martin Schwaighofer (Johannes Kepler University Linz), Michael Roland (Johannes Kepler University Linz), René Mayrhofer (Johannes Kepler University Linz)

Break (3:25-3:40 PM)

Technical Session 4: Advancing Software Supply Chain Security: Techniques and Impact (3:40 PM)

Session Chair: Dennis Roellke (Bloomberg)

Developers’ Approaches to Software Supply Chain Security: An Interview Study

Rami Sammak (Paderborn University), Anna Lena Rotthaler (Paderborn University), Harshini Sri Ramulu (Paderborn University), Dominik Wermke (North Carolina State University), Yasemin Acar (The George Washington University & Paderborn University)

Impacts of Software Bill of Materials (SBOM) Generation on Vulnerability Detection

Eric O’Donoghue (Montana State University), Brittany Boles (Montana State University), Clemente Izurieta (Montana State University), Ann Marie Reinhold (Montana State University)

On the Security Blind Spots of Software Composition Analysis

Jens Dietrich (Victoria University of Wellington), Shawn Rasheed (UCOL | Te Pūkenga), Alexander Jordan (Oracle Labs), Tim White (Victoria University of Wellington)

Closing Remarks (4:40 PM)

General Chair

Happy Hour @ Green Pug Pub (5:30 PM)

Sponsored by KTH Chains

Google Maps location: here

The pub is a 15-min walk from the conference venue (Marriott at City Creek). A group will meet in the lobby following the workshop and leave promptly at 5:10pm.

Note: The bar is strictly 21 years of age and above. Bring a U.S. ID or passport to enter the bar. This is strict in Utah.