Background: Open-source code has been an amazing boon for software productivity. However, I believe that most of the code that companies run isn't written by their own developers, it is from various packages and frameworks written by outside individuals and groups. My main focus is writing data intensive software where malicious actors, or just poorly written code, could compromise the confidentiality and/or integrity of customer data via a popular package/dependency. Better sandboxing of relatively untrusted code could be a huge boon for applications that have lots of plugins (think Chrome of VS code).
A few thoughts I have had on this front is limiting access of untrusted code to system calls that control file and network access is critical. Also, there would be a need to ensure that dependencies can't "takeover" a process by overwriting the call-stack to run their own code or spawning a new thread / process. Interested in your thoughts.
For any arbitrary language you define, I can create a known-bad library and punch it into the download stream
If you want to mitigate supply-chain attacks, you need to look at all of the following (at least!):
- library source
- file-signature
- signature key-verification
- static analysis of library functionality
- processor-dependent rogue behavior detection
- OS-dependent rogue behavior detection
This is not a language problem - this is a source and runtime problem
Because you mention supply-chain attacks, I assume you're familiar with Nix/Guix linux distributions/package managers?