Purdue News

Supply chain research seeks out the software openings oftentimes exploited

WEST LAFAYETTE, Ind. — A computer system’s cybersecurity can be jeopardized by its own software as much as the questionable decisions made by computer users.

A Purdue University professor is focused on halting those software attacks, which statistics indicate are on the rise.

Santiago Torres Arias, an assistant professor of electrical and computer engineering at Purdue, said a cumulative increase of 500% in the number of software supply chain compromises is giving hackers the weak link they need to attack a system.

Torres Arias said that in supply chain security, hackers will search to find that one program in a chain of software that is vulnerable and hack it.

“Supply chain security compromises are attacks where someone targets the left side of the equation and how a piece of software is produced,” Torres Arias said. “They’re not targeting the people using the system, but rather the producers, so that when people then use the software themselves, the system is compromised.”

The attack on software developer SolarWinds in 2020 is among the more well-known of those. In that case, hackers broke into the company’s system, adding code that went out to customers in software updates that created a backdoor to a number of systems.

Torres Arias has a focus on computer engineering in software supply chain, bolstered with additional research in password storage mechanisms and software update systems, working to ensure that the way people create software and hardware does not compromise the security and privacy of its eventual users.

He is a member of Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS) and core developer or outright creator of many tools dedicated to software supply chain security under the Linux Foundation.

Cybersecurity is a critical topic under Purdue’s Next Moves, the ongoing strategic initiatives that will advance the university’s competitive advantage. Cybersecurity research is a key component of Purdue’s National Security and Technology enterprise. Purdue’s cybersecurity research and educational initiatives are centered under CERIAS and its 135 affiliated faculty members from 18 academic departments.

With system compromises on the rise, Torres Arias expects changes in coming years that will tighten up the way software is produced.

“I expect that in 5-10 years we’ll start seeing more transparency and more expectations from market pressure, pushing the software producers to tighten their processes,” Torres Arias said, comparing it to consumers using tamper-proof seals on medication.  

“The same thing would happen with software,” he said. “If we know the software is not produced securely, we’re not going to use it.”