.d8888b. 888 888 d8888 8888888 888b 888 .d8888b.
d88P Y88b 888 888 d88888 888 8888b 888 d88P Y88b
888 888 888 888 d88P888 888 88888b 888 Y88b.
888 8888888888 d88P 888 888 888Y88b 888 "Y888b.
888 888 888 d88P 888 888 888 Y88b888 "Y88b.
888 888 888 888 d88P 888 888 888 Y88888 "888
Y88b d88P 888 888 d8888888888 888 888 Y8888 Y88b d88P
"Y8888P" 888 888 d88P 888 8888888 888 Y888 "Y8888P"
CHAINS is a research project at KTH Royal Institute of Technology, it is about hardening the software supply chain, incl. dependency engineering as well as reproducible, executable and verifiable builds and SBOMs. We primarily look at Maven, NPM, and the software supply chain of crypto. The project is funded by the Swedish Foundation for Strategic research (SSF). We are recruiting software engineers, postdocs, and interns, get in touch!
<dependency>
<groupId>com.martiansoftware</groupId>
<artifactId>jsap</artifactId>
<version>2.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.36</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
</dependency>(chronological order)
- The Multibillion Dollar Software Supply Chain of Ethereum, IEEE Computer, 2022
- Diverse Double-Compiling to Harden Cryptocurrency Software, Master's thesis Niklas Rosencrantz, 2023
- Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js, Usenix Security 2023
- Challenges of Producing Software Bill Of Materials for Java, IEEE Security & Privacy, 2023
- GitBark: A Rule-Based Framework for Maintaining Integrity in Source Code Repositories, Master's thesis Elias Bonnici, 2023
- Highly Available Blockchain Nodes With N-Version Design, IEEE Transactions on Dependable and Secure Computing, 2024
- BUMP: A Benchmark of Reproducible Breaking Dependency Updates, Proceedings of IEEE SANER, 2024
Posts:
- Dependency Resolution in Different Ecosystems
- The CHAINS software supply chain recommendations
- An overview of Reproducible Builds Summit 2023
- Software supply chain art
- Software supply chain attacks on crypto infrastructure
- NIX and the supply chain, debrief of NixCon 2022
- SBOMs for your GitHub Releases
- Principal Investigators: Musard Balliu, Benoit Baudry, Mathias Ekstedt, Martin Monperrus
- PhD students: Sofia Bobadilla, Eric Cornelissen, Javier Ron, Aman Sharma, Mikhail Shcherbakov, Liu Yuxin, Frank Reyes, Yekatierina Churakova
- Research engineers & assistants: Yogya Gamage, Raphina Liu, Elias Lundell
- Master's students: Arvid Siberov, Christofer Vikström, Daniel Williams, Felix Qvarfordt, Vivi Andersson, Oliver Schwalbe Lehtihet
Chains alumni: Arvid Siberov, Linus Östlund, Gabriel Skoglund, César Soto-Valero, Martin Wittlinger
- April 26 2024: 3rd KTH Workshop on the Software Supply Chain
- October 2023: A Runtime Integrity Tool for Java Dependencies (Aman Sharma et al.). Poster at SecDev 2023
- August 18 2023: The Software Supply Chain and its Security Implications. Benoit Baudry at CTF Midnight sun
- June 5 2023: Keynote "The Software Supply Chain". Benoit Baudry at the French Conference for Software Research. Speaker: Benoit Baudry
- May 25 2023: The Security Implications of the Software Supply Chain. Keynote at the CDIS Spring Conference. Speaker: Benoit Baudry
- Apr 21 2023: 2nd Workshop on the Software Supply Chain @ KTH. Keynote Speakers: Christian Collberg, Stefano Zacchiroli
- Apr 18 2023: Highly Available Blockchain Nodes With N-Version Design. Speaker: Javier Ron
- Mar 31 2023: Verifiable source-only bootstrap from scratch. Speaker: an
- Mar 08 2023: SBOM for Alpine Linux. Speaker: Hans Thorsen Lamm.
- Jan 19 2023: Talk: The software supply chain of crypto Decentralization meetup Stockholm, Speaker: Martin Monperrus
- Dec 08 2022: Software bloat in PyPI. Speaker: Georgios Drosos (Athens University of Economics and Business)
- Nov 15 2022: Building Robust Software Supply Chains at STEW'22. Speaker: Benoit Baudry
- Sep 30 2022: 1st Workshop on the Software Supply Chain @ KTH
- Sep 20 2022: Open-source security analysis @SAP. Speakers: Henrik Plate (SAP), Serena Elisa Ponta (SAP)
- Jun 14 2022: Building Robust Software Supply Chains at XP'22. Speaker: Benoit Baudry
- June 17 2022: Framtidens Forskning (In Swedish)