Workshop Agenda

All times in CET.

Please join our Discord server during the event to ask questions during the keynotes: https://discord.gg/kFcMaFWgmp.

Gathering and Breakfast (8:30 AM - 9:00 AM)

Morning Session: (9:00 AM -12:10 PM)

Opening Remarks & Awards (9:00 AM)

PC Chairs

Opening Keynote: Open Source Supply Chain Security at Google (9:15 AM)

Russ Cox (Google)

Break (10:00 AM)

Technical Session 1: Policy and Enforcement (10:15 AM)

Session Chair: Lorenzo De Carli

[SiP] What does it look like to code-sign for an entire packaging ecosystem?

William Woodruff (Trail of Bits)

Macaron: A Logic-based Framework for Software Supply Chain Security Assurance

Behnaz Hassanshahi (Oracle Labs), Trong Nhan Mai (Oracle Labs), Alistair Michael (Oracle Labs), Benjamin Selwyn-Smith (Oracle Labs), Sophie Bates (Oracle Labs), Padmanabhan Krishnan (Oracle Labs)

[SiP] Scalable Policies for Supply Chain Security

Tom Hennen (Google)

Break (11:15 AM)

Technical Session 2: AI to the rescue! (11:30 AM)

Session Chair: M. Ali Babar

An Empirical Study on Using Large Language Models to Analyze SSCS Failures

Tanmay Singla (Purdue University), Dharun Anandayuvaraj (Purdue University), Kelechi G. Kalu (Purdue University), Taylor R. Schorlemmer (Purdue University), James C. Davis (Purdue University)

Distinguishing AI- and Human-Generated Code: a Case Study

Sufiyan Bukhari (University of Calgary), Benjamin Tan (University of Calgary), Lorenzo De Carli (University of Calgary)

Lunch Break (12:10 PM - 1:15 PM)

Afternoon Session (1:15 PM - 4:35 PM):

Technical Session 3: Risk Evaluation and Detection (1:15 PM)

Session Chair: Laurie Williams

Differential Static Analysis for Detecting Malicious Updates

Fabian Niklas Froh (LMU Munich), Matías Federico Gobbi (LMU Munich), Johannes Kinder (LMU Munich)

The Hitchhiker’s Guide to Malicious Third-Party Dependencies

Piergiorgio Ladisa (SAP Security Research, Université de Rennes 1, INRIA/IRISA), Merve Sahin (SAP Security Research), Serena Elisa Ponta (SAP Security Research), Marco Rosa (SAP Security Research), Matias Martinez (Universitat Politècnica de Catalunya - Barcelona Tech), Olivier Barais (Univ. Rennes, Inria, CNRS, IRISA)

[SiP] Estimating security risk through repository mining

Tamas K Lengyel (Intel)

(Nothing But) Many Eyes Make All Bugs Shallow

Elizabeth Wyss (University of Kansas), Lorenzo De Carli (University of Calgary), Drew Davidson (University of Kansas)

Break (2:35 PM)

Technical Session 4: SBOM (2:55 PM)

Session Chair: Tom Hennen

[SiP] Enforcing SBOMs through the Linux kernel with eBPF and IMA

Rob Szumski (EdgeBit), Alex Crawford (EdgeBit)

[SiP] Challenges of Producing Software Bill Of Materials for Java

Musard Balliu (KTH Royal Institute of Technology), Benoit Baudry (KTH Royal Institute of Technology), Sofia Bobadilla (KTH Royal Institute of Technology), Mathias Ekstedt (KTH Royal Institute of Technology), Martin Monperrus (KTH Royal Institute of Technology), Javier Ron (KTH Royal Institute of Technology), Aman Sharma (KTH Royal Institute of Technology), Gabriel Skoglund (KTH Royal Institute of Technology), César Soto-Valero (KTH Royal Institute of Technology), Martin Wittlinger (KTH Royal Institute of Technology)

Break (3:35 PM)

Closing Keynote (3:45 PM)

Yesenia Yser (Yes2Tech)

Closing Remarks (4:30 PM)

General Chairs

KTH Chains Happy Hour (5:15 PM)

Warpigs Brewpub, Flaesketorvet 25 -37