DOCSLIB.ORG

Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee Georgia Institute of Technology Abstract—Package managers have become a vital part of the organizations that rely on open-source interpreted program- modern software development process. They allow developers ming languages for different internal and external applications. to reuse third-party code, share their own code, minimize their Attackers can infiltrate well-defended organization by simply codebase, and simplify the build process. However, recent reports subverting the software supply chain of registries. For exam- showed that package managers have been abused by attackers to ple, eslint-scope [4], a package with millions of weekly distribute malware, posing significant security risks to developers downloads in Npm, was compromised to steal credentials and end-users. For example, eslint-scope, a package with millions of weekly downloads in Npm, was compromised to steal from developers. Similarly, rest-client [5], which has over credentials from developers. To understand the security gaps one hundred million downloads in RubyGems, was compro- and the misplaced trust that make recent supply chain attacks mised to leave a Remote-Code-Execution (RCE) backdoor possible, we propose a comparative framework to qualitatively on web servers. These attacks demonstrate how miscreants assess the functional and security features of package managers can covertly gain access to a wide-range of organizations by for interpreted languages. Based on qualitative assessment, we carrying out a software supply chain attack. apply well-known program analysis techniques such as metadata, static, and dynamic analysis to study registry abuse. Our initial efforts found 339 new malicious packages that we reported to Security researchers [7] are aware of these attacks and have the registries for removal. The package manager maintainers proposed several solutions to address the rise of malicious confirmed 278 (82%) from the 339 reported packages where three software in registries. Zimmermann et al. [8] systematically of them had more than 100,000 downloads. For these packages we studied 609 known security issues and revealed a large attack were issued official CVE numbers to help expedite the removal of surface in the Npm ecosystem. BreakApp [9], on the other these packages from infected victims. We outline the challenges hand, isolates untrusted packages, which addresses credential of tailoring program analysis tools to interpreted languages and theft and prevents access to sensitive data, but does not release our pipeline as a reference point for the community to stop cryptocurrency mining or backdoors. Additionally, many build on and help in securing the software supply chain. solutions [10]–[12] assume inherent trust and focus on finding bugs in packages rather than malicious packages. To make matters worse, some attacks are very sinister and use social I. INTRODUCTION engineering techniques [13], [14] to disguise themselves by Many modern web applications rely on interpreted pro- first publishing a “useful” package, then waiting until it isused gramming languages because of their rich libraries and pack- by their target to update it and include malicious payloads. ages. Registries (also known as package managers) like PyPI, Although, many security researchers are actively investigating Npm, and RubyGems provide a centralized repository that attacks on registries and proposing solutions, these approaches developers can search and install add-on packages to help in seem to be ad-hoc and one-off solutions. A better approach is development. For example, developers building a web appli- to understand the extent of the software supply chain abuse and cation can rely on Python web frameworks like Django [1], how miscreants are taking advantage of them. The approach arXiv:2002.01139v2 [cs.CR] 2 Dec 2020 Web2py [2], and Flask [3] to provide boilerplate code for rapid must be grounded to allow an objective comparison between development. Not only have registries made the development the different registry ecosystem. process more efficient, but also they have created a large community that collaborates and shares open-source code. To this end, we propose a framework that highlights key Unfortunately, miscreants have found ways to infiltrate these functionality, security mechanisms, stakeholders, and remedi- communities and infect benign popular packages with mali- ation techniques to comparatively analyze different registry cious code that steal credentials [4], install backdoors [5], and ecosystems. We use our framework to look at what features even abuse compute resources for cryptocurrency mining [6]. registries provide, what security principles are enforced, how is trust delegated between different parties, and what remediation The impact of this problem is not isolated to small one-off and contingency plans registries have in place for post-attack. web apps, but large websites, enterprises, and even government We leverage our findings to provide practical action items that registry maintainers can enforce using pre-existing tools and security principles that will improve the security of the overall Network and Distributed Systems Security (NDSS) Symposium 2021 package management ecosystem. Using well-known program 21-24 February 2021, San Diego, CA, USA ISBN 1-891562-66-5 analysis techniques, we build MALOSS, a custom pipeline https://dx.doi.org/10.14722/ndss.2021.23055 tailored for interpreted languages that we use to empirically www.ndss-symposium.org study the security of package managers. We make this pipeline public 1 for the community to use as a reference or starting integration and continuous deployment (CI/CD) pipeline to point to help analyze and identify suspicious packages. automate the release process (i.e., build and deploy). We use our pipeline MALOSS to study over one million Developers. Developers manage the app development frame- packages from PyPI, Npm, and RubyGems and identified 7 work and are consumers of the published packages. They malicious packages in PyPI, 41 malicious packages in Npm, are responsible for finding the right packages to use in their and 291 malicious packages in RubyGems. We reported these software and releasing their products to end-users. Devs focus packages to registry maintainers and had 278 of them removed, on developing unique features in their software and reuse over 82%. Three of the reported malicious packages had packages from registries for common functionalities. Also, over 100K installs and they were assigned an official CVE Devs need to address issues of reused packages, such as known number. We present an in-depth case study to demonstrate the vulnerabilities and incompatibilities. utility of our framework and demonstrate the sophistication of these malicious packages and present their infection vectors, End-users. Although not directly interacting with registries, capabilities, and persistence. Moreover, to study the impact end-users are still an important stakeholder in the ecosystem. the malicious packages, we use passive-DNS data to estimate Users are at the downstream and use services or applications how wide spread the installation of these malicious packages. from Devs on browsers, mobile devices or Internet-of-Things Finally, we propose actionable steps to help improve the overall (IoT) devices. Users are eventually customers that pay and security of package managers and protect the software supply fuel the whole ecosystem, however, they have no control of chain such as adding typo detection at the client-side to software except feedback channels and can be affected by minimize accidental errors of developers. upstream security issues. II. BACKGROUND B. An Overview of Registry Abuse Registries are platforms for code sharing and play an essen- We present a selected list of supply chain attacks in tial role in the software development process. We start by intro- Figure 2, spanning across different types of registries (e.g. ducing the four primary stakeholders involved in developing, interpreted languages, system-wide). In 2016, Tschacher [7] managing and using packages from registries, namely Registry demonstrated a proof-of-concept attack against package man- Maintainers (RMs), Package Maintainers (PMs), Developers agers. The attack used typosquatting, which is a technique (Devs) and End-users (Users). We then present an overview of that misspells the name of a popular package and waits for registry abuse and show that existing studies cannot address users installing the popular package to typo the name (hence the rising trend of supply chain attacks. We further dive into typosquatting) resulting in the installation of the malicious the security gaps and identify challenges in securing registries. package instead. As of August 2019, there were more than 300 malicious packages reported and removed in different registries (PyPI, Npm, RubyGems, etc.). In Figure 3, we aggregate the A. Primary Stakeholders number of malicious packages uploaded into registries and We sketch the characteristics of primary stakeholders and their corresponding download counts by year of uploading. We their simplified relationships in the package manager ecosys- note that these counts are documented/detected attacks, which tem in Figure 1. Note that the stakeholders are roles, which is a subset of all the attacks (known and unknown).
Load more

Recommended publications
  • ROADS and BRIDGES: the UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface
    Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure WRITTEN BY Nadia Eghbal 2 Open up your phone. Your social media, your news, your medical records, your bank: they are all using free and public code. Contents 3 Table of Contents 4 Preface 58 Challenges Facing Digital Infrastructure 5 Foreword 59 Open source’s complicated relationship with money 8 Executive Summary 66 Why digital infrastructure support 11 Introduction problems are accelerating 77 The hidden costs of ignoring infrastructure 18 History and Background of Digital Infrastructure 89 Sustaining Digital Infrastructure 19 How software gets built 90 Business models for digital infrastructure 23 How not charging for software transformed society 97 Finding a sponsor or donor for an infrastructure project 29 A brief history of free and public software and the people who made it 106 Why is it so hard to fund these projects? 109 Institutional efforts to support digital infrastructure 37 How The Current System Works 38 What is digital infrastructure, and how 124 Opportunities Ahead does it get built? 125 Developing effective support strategies 46 How are digital infrastructure projects managed and supported? 127 Priming the landscape 136 The crossroads we face 53 Why do people keep contributing to these projects, when they’re not getting paid for it? 139 Appendix 140 Glossary 142 Acknowledgements ROADS AND BRIDGES: THE UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface Our modern society—everything from hospitals to stock markets to newspapers to social media—runs on software. But take a closer look, and you’ll find that the tools we use to build software are buckling under demand.
    [Show full text]
  • Theendokernel: Fast, Secure
    The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization Bumjin Im Fangfei Yang Chia-Che Tsai Michael LeMay Rice University Rice University Texas A&M University Intel Labs Anjo Vahldiek-Oberwagner Nathan Dautenhahn Intel Labs Rice University Abstract Intra-Process Sandbox Multi-Process Commodity applications contain more and more combina- ld/st tions of interacting components (user, application, library, and Process Process Trusted Unsafe system) and exhibit increasingly diverse tradeoffs between iso- Unsafe ld/st lation, performance, and programmability. We argue that the Unsafe challenge of future runtime isolation is best met by embracing syscall()ld/st the multi-principle nature of applications, rethinking process Trusted Trusted read/ architecture for fast and extensible intra-process isolation. We IPC IPC write present, the Endokernel, a new process model and security Operating System architecture that nests an extensible monitor into the standard process for building efficient least-authority abstractions. The Endokernel introduces a new virtual machine abstraction for Figure 1: Problem: intra-process is bypassable because do- representing subprocess authority, which is enforced by an main is opaque to OS, sandbox limits functionality, and inter- efficient self-isolating monitor that maps the abstraction to process is slow and costly to apply. Red indicates limitations. system level objects (processes, threads, files, and signals). We show how the Endokernel Architecture can be used to develop enforces subprocess access control to memory and CPU specialized separation abstractions using an exokernel-like state [10, 17, 24, 25, 75].Unfortunately, these approaches only organization to provide virtual privilege rings, which we use virtualize minimal parts of the CPU and neglect tying their to reorganize and secure NGINX.
    [Show full text]
  • Impact Analysis of System and Network Attacks
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by DigitalCommons@USU Utah State University DigitalCommons@USU All Graduate Theses and Dissertations Graduate Studies 12-2008 Impact Analysis of System and Network Attacks Anupama Biswas Utah State University Follow this and additional works at: https://digitalcommons.usu.edu/etd Part of the Computer Sciences Commons Recommended Citation Biswas, Anupama, "Impact Analysis of System and Network Attacks" (2008). All Graduate Theses and Dissertations. 199. https://digitalcommons.usu.edu/etd/199 This Thesis is brought to you for free and open access by the Graduate Studies at DigitalCommons@USU. It has been accepted for inclusion in All Graduate Theses and Dissertations by an authorized administrator of DigitalCommons@USU. For more information, please contact [email protected]. i IMPACT ANALYSIS OF SYSTEM AND NETWORK ATTACKS by Anupama Biswas A thesis submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE in Computer Science Approved: _______________________ _______________________ Dr. Robert F. Erbacher Dr. Chad Mano Major Professor Committee Member _______________________ _______________________ Dr. Stephen W. Clyde Dr. Byron R. Burnham Committee Member Dean of Graduate Studies UTAH STATE UNIVERSITY Logan, Utah 2008 ii Copyright © Anupama Biswas 2008 All Rights Reserved iii ABSTRACT Impact Analysis of System and Network Attacks by Anupama Biswas, Master of Science Utah State University, 2008 Major Professor: Dr. Robert F. Erbacher Department: Computer Science Systems and networks have been under attack from the time the Internet first came into existence. There is always some uncertainty associated with the impact of the new attacks.
    [Show full text]
  • Security Now! #731 - 09-10-19 Deepfakes
    Security Now! #731 - 09-10-19 DeepFakes This week on Security Now! This week we look at a forced two-day recess of all schools in Flagstaff, Arizona, the case of a Ransomware operator being too greedy, Apple's controversial response to Google's posting last week about the watering hole attacks, Zerodium's new payout schedule and what it might mean, the final full public disclosure of BlueKeep exploitation code, some potentially serious flaws found and fixed in PHP that may require our listener's attention, some SQRL news, miscellany, and closing-the-loop feedback from a listener. Then we take our first look on this podcast into the growing problem and threat of "DeepFake" media content. All Flagstaff Arizona Schools Cancelled Thursday, August 5th And not surprisingly, recess is extended through Friday: https://www.fusd1.org/facts https://www.facebook.com/FUSD1/ ​ ​ And Saturday... Security Now! #730 1 And Sunday... Security News A lesson for greedy ransomware: Ask for too much… and you get nothing! After two months of silence, last Wednesday Mayor Jon Mitchell of New Bedford, Massachusetts held their first press conference to tell the interesting story of their ransomware attack... The city's IT network was hit with the Ryuk (ree-ook) ransomware which, by the way, Malwarebytes now places at the top of the list of file-encrypting malware targeting businesses. It'll be interesting to see whether So-Dino-Kee-Bee's affiliate marketing model is able to displace Ryuk. But, in any event, very fortunately for the city of New Bedford, hackers breached the city's IT network and got Ryuk running in the wee hours of the morning following the annual 4th of July holiday.
    [Show full text]
  • Rekstrarhandbók
    Vorönn 2017 T-404-LOKA, Lokaverkefni Rekstrarhandbók Ingþór Birkir Árnason Jan Hinrik Hansen Logi Guðmann Þorgrímur Jónasarson Kennari: Hallgrímur Arnalds Leiðbeinandi: Sigurjón Ingi Garðarsson Prófdómari: Símon Óttar Vésteinsson 12. maí 2017 Efnisyfirlit 1 Framendi 3 1.1 Dependencies 3 1.2 Uppsetning 3 1.3 Keyrsla 3 1.4 ESLint 4 1.5 Stílar 5 1.5.1 BEM - Block Element Modifier 5 1.5.2 StyleLint 5 1.5.3 Gulp task 5 2 Bakendi 6 2.1 Dependencies 6 2.2 Uppsetning 6 2.3 Handhægar upplýsingar 8 2.3.1 Admin aðgangur 8 2.3.2 Postman 8 2.4 PHPUnit 8 2.5 Documentation 9 3 Forritunarreglur 9 3.1 Almennar reglur 9 3.2 VueJS 9 3.3 CSS 10 3.4 PHP - Laravel 11 2 1 Framendi Framendinn er skrifaður í Vue.js með vue-webpack-boilerplate (https://github.com/vuejs-templates/webpack) sem grunn. ​ ​ 1.1 Dependencies Til þess að geta keyrt framendann er nauðsynlegt að hafa node og node package manager (npm). Hægt er að sækja node.js ásamt npm á Node.js heimasíðunni (https://nodejs.org/en/). ​ ​ 1.2 Uppsetning 1.) Sækja git repository-ið. git clone https://github.com/toggi737/Lokaverkefni_vue.git 2.) Setja upp nauðsynleg dependencies í gegnum npm. npm install 3.) Búa til dev.env.js skrá sem að inniheldur stillingar fyrir þína vél. Nauðsynlegt er að búa til dev.env.js skrá undir config möppunni sem að inniheldur upplýsingar um þann API sem að þú vilt nota. Það er hægt að gera með því að keyra cp dev.env.js.example dev.env.js í config möppunni.
    [Show full text]
  • Learning React Functional Web Development with React and Redux
    Learning React Functional Web Development with React and Redux Alex Banks and Eve Porcello Beijing Boston Farnham Sebastopol Tokyo Learning React by Alex Banks and Eve Porcello Copyright © 2017 Alex Banks and Eve Porcello. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/insti‐ tutional sales department: 800-998-9938 or [email protected]. Editor: Allyson MacDonald Indexer: WordCo Indexing Services Production Editor: Melanie Yarbrough Interior Designer: David Futato Copyeditor: Colleen Toporek Cover Designer: Karen Montgomery Proofreader: Rachel Head Illustrator: Rebecca Demarest May 2017: First Edition Revision History for the First Edition 2017-04-26: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781491954621 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning React, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
    [Show full text]
  • React.Pdf Email: [email protected] Twitter: @Mark Volkmann Github: Mvolkmann Website
    Say “No” to Complexity! Mark Volkmann, Object Computing, Inc. http://ociweb.com/mark/MidwestJS/react.pdf Email: [email protected] Twitter: @mark_volkmann https://github.com/mvolkmann/react-examples GitHub: mvolkmann Website: http://ociweb.com/mark Copyright © 2015-2016 by Object Computing, Inc. (OCI) All rights reserved Intro. Meaning behind the talk title - 2 kinds of complexity other frameworks state management approaches: thunks, sagas, epics, effects, GraphQL, Relay, Falcor, ... Why are the slides so dense? Copyright © 2015-2016 by Object Computing, Inc. (OCI) React All rights reserved 2 What is OCI? Software development (on-site and off-site), consulting, and training Home of Grails, “An Open Source high-productivity framework for building fast and scalable web applications” Open Source Transformation Services helping clients move from commercial to open source software Industrial Internet of Things (IIoT) DevOps Copyright © 2015-2016 by Object Computing, Inc. (OCI) React All rights reserved 3 Overview ... Web app library from Facebook As of 8/6/16, React was reportedly used by Airbnb, Angie’s List, http://facebook.github.io/react/ Atlasssian, BBC, Capitol One, Clash of Focuses on view portion Clans, Codecademy, Coursera, Docker, Dropbox, Expedia, Facebook, Feedly, not full stack like other frameworks such as AngularJS and EmberJS Flipboard, HipChat, IMDb, Instagram, Intuit, Khan Academy, Lyft, New York use other libraries for non-view functionality Times, NFL, NHL, Netflix, Paypal, some are listed later Periscope, Reddit, Salesforce, Squarespace, Tesla Motors, Twitter, “One-way reactive data flow” Uber, Visa, WhatsApp, Wired, Wolfrum UI reacts to “state” changes Alpha, Wordpress, Yahoo, Zendesk, and many more. not two-way data binding like in AngularJS 1 Source: https://github.com/facebook/ what triggered a digest cycle? react/wiki/Sites-Using-React should I manually trigger it? easier to follow flow of data events -> state changes -> component rendering Copyright © 2015-2016 by Object Computing, Inc.
    [Show full text]
  • Exercises for Portfolio
    Faculty of Computing, Engineering and Technology Module Name: Operating Systems Module Number: CE01000-3 Title of Assessment: Portfolio of exercises Module Learning Outcomes for This Assessment 3. Apply to the solution of a range of problems, the fundamental concepts, principles and algorithms employed in the operation of a multi-user/multi-tasking operating systems. Hand in deadline: Friday 26th November, 2010. Assessment description Selected exercises from the weekly tutorial/practical class exercises are to be included in a portfolio of exercises to be submitted Faculty Office in a folder by the end of week 12 (Friday 26th November 2010). The weekly tutorial/practical exercises that are to be included in the portfolio are specified below. What you are required to do. Write up the selected weekly exercises in Word or other suitable word processor. The answers you submit should be your own work and not the work of any other person. Note the University policy on Plagiarism and Academic Dishonesty - see Breaches in Assessment Regulations: Academic Dishonesty - at http://www.staffs.ac.uk/current/regulations/academic/index.php Marks The marks associated with each selected exercise will be indicated when you are told which exercises are being selected. Week 1. Tutorial questions: 6. How does the distinction between supervisor mode and user mode function as a rudimentary form of protection (security) system? The operating system assures itself a total control of the system by establishing a set of privileged instructions only executable in supervisor mode. In that way the standard user won’t be able to execute these commands, thus the security.
    [Show full text]
  • The Quality Attribute Design Strategy for a Social Network Data Analysis System
    Rochester Institute of Technology RIT Scholar Works Theses 5-2016 The Quality Attribute Design Strategy for a Social Network Data Analysis System Ziyi Bai [email protected] Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Bai, Ziyi, "The Quality Attribute Design Strategy for a Social Network Data Analysis System" (2016). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. The Quality Attribute Design Strategy for a Social Network Data Analysis System by Ziyi Bai A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Software Engineering Supervised by Dr. Scott Hawker Department of Software Engineering B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology Rochester, New York May 2016 ii The thesis “The Quality Attribute Design Strategy for a Social Network Data Analy- sis System” by Ziyi Bai has been examined and approved by the following Examination Committee: Dr. Scott Hawker Associate Professor Thesis Committee Chair Dr. Christopher Homan Associate Professor Dr. Stephanie Ludi Professor iii Acknowledgments Dr.Scott Hawker, I can confidently state that without your guidance I would not have accomplished my achievement. Your support has impacted my future for the better. Thank you for everything. Dr. Chris Homan, I am so thankful that you reached out to me and provided the requirements for this thesis.
    [Show full text]
  • A Universal Framework for (Nearly) Arbitrary Dynamic Languages Shad Sterling Georgia State University
    Georgia State University ScholarWorks @ Georgia State University Undergraduate Honors Theses Honors College 5-2013 A Universal Framework for (nearly) Arbitrary Dynamic Languages Shad Sterling Georgia State University Follow this and additional works at: https://scholarworks.gsu.edu/honors_theses Recommended Citation Sterling, Shad, "A Universal Framework for (nearly) Arbitrary Dynamic Languages." Thesis, Georgia State University, 2013. https://scholarworks.gsu.edu/honors_theses/12 This Thesis is brought to you for free and open access by the Honors College at ScholarWorks @ Georgia State University. It has been accepted for inclusion in Undergraduate Honors Theses by an authorized administrator of ScholarWorks @ Georgia State University. For more information, please contact [email protected]. A UNIVERSAL FRAMEWORK FOR (NEARLY) ARBITRARY DYNAMIC LANGUAGES (A THEORETICAL STEP TOWARD UNIFYING DYNAMIC LANGUAGE FRAMEWORKS AND OPERATING SYSTEMS) by SHAD STERLING Under the DireCtion of Rajshekhar Sunderraman ABSTRACT Today's dynamiC language systems have grown to include features that resemble features of operating systems. It may be possible to improve on both by unifying a language system with an operating system. Complete unifiCation does not appear possible in the near-term, so an intermediate system is desCribed. This intermediate system uses a common call graph to allow Components in arbitrary languages to interaCt as easily as components in the same language. Potential benefits of such a system include signifiCant improvements in interoperability,
    [Show full text]
  • Npm Packages As Ingredients: a Recipe-Based Approach
    npm Packages as Ingredients: a Recipe-based Approach Kyriakos C. Chatzidimitriou, Michail D. Papamichail, Themistoklis Diamantopoulos, Napoleon-Christos Oikonomou, and Andreas L. Symeonidis Electrical and Computer Engineering Dept., Aristotle University of Thessaloniki, Thessaloniki, Greece fkyrcha, mpapamic, thdiaman, [email protected], [email protected] Keywords: Dependency Networks, Software Reuse, JavaScript, npm, node. Abstract: The sharing and growth of open source software packages in the npm JavaScript (JS) ecosystem has been exponential, not only in numbers but also in terms of interconnectivity, to the extend that often the size of de- pendencies has become more than the size of the written code. This reuse-oriented paradigm, often attributed to the lack of a standard library in node and/or in the micropackaging culture of the ecosystem, yields interest- ing insights on the way developers build their packages. In this work we view the dependency network of the npm ecosystem from a “culinary” perspective. We assume that dependencies are the ingredients in a recipe, which corresponds to the produced software package. We employ network analysis and information retrieval techniques in order to capture the dependencies that tend to co-occur in the development of npm packages and identify the communities that have been evolved as the main drivers for npm’s exponential growth. 1 INTRODUCTION Given that dependencies and reusability have be- come very important in today’s software develop- The popularity of JS is constantly increasing, and ment process, npm registry has become a “must” along is increasing the popularity of frameworks for place for developers to share packages, defining code building server (e.g.
    [Show full text]
  • Principles of Operating Systems Name (Print): Fall 2019 Seat: SEAT Final
    Principles of Operating Systems Name (Print): Fall 2019 Seat: SEAT Final Left person: 12/13/2019 Right person: Time Limit: 8:00am { 10:00pm • Don't forget to write your name on this exam. • This is an open book, open notes exam. But no online or in-class chatting. • Ask us if something is confusing. • Organize your work, in a reasonably neat and coherent way, in the space provided. Work scattered all over the page without a clear ordering will receive very little credit. • Mysterious or unsupported answers will not receive full credit. A correct answer, unsupported by explanation will receive no credit; an incorrect answer supported by substan- tially correct explanations might still receive partial credit. • If you need more space, use the back of the pages; clearly indicate when you have done this. • Don't forget to write your name on this exam. Problem Points Score 1 10 2 15 3 15 4 15 5 17 6 15 7 4 Total: 91 Principles of Operating Systems Final - Page 2 of 12 1. Operating system interface (a) (10 points) Write code for a simple program that implements the following pipeline: cat main.c | grep "main" | wc I.e., you program should start several new processes. One for the cat main.c command, one for grep main, and one for wc. These processes should be connected with pipes that cat main.c redirects its output into the grep "main" program, which itself redirects its output to the wc. forked pid:811 forked pid:812 fork failed, pid:-1 Principles of Operating Systems Final - Page 3 of 12 2.
    [Show full text]