ShiftLeft: Securing the Software Supply Chain by Code-centric Analysis
The ShiftLeft project seeks to transform the security of Software Supply Chains (SSCs) by introducing a declarative code-centric platform supporting continuous security analysis. It incorporates foundational frameworks, novel abstractions combining static and dynamic techniques, and human-in-the-loop feedback with AI-driven prioritization metrics. The project’s objectives include developing expressive security models, building a scalable security analysis platform, and creating an open-source security dashboard integrated into the software development lifecycle for real-world SSCs.
ShiftLeft is funded by the Wallenberg AI, Autonomous Systems and Software Program (WASP) via the NEST (Novelty, Excellence, Synergy, and Teams) instrument. The project is lead by the PI, Prof. Musard Balliu (KTH Royal Institute of Technology). The co-PIs are Prof. Alexandre Bartel (Umeå University), Prof. Christoph Reichenbach (Lund University), Prof. David Sands and Prof. Rebekka Wohlrab (Chalmers University of Technology). The industrial partners are Cparta Cyber Defense, Debricked, Ericsson, Recorded Futures, and SEB. Read more
News Corner
Team ShiftLeft
- Principal Investigators: Musard Balliu, Alexandre Bartel, Christoph Reichenbach, David Sands, Rebekka Wohlrab
- PostDocs: Mohammad Ahmadpanah, Raffaela Groner, Timothé Riom
- PhD students: Joel Nyholm , Anton Risberg Alaküla, Momina Rizwan, Yufei Wu, Bruno Kreyßig, Sabine Houy, Eric Cornelissen, SiKai Lu, Erik Söderholm Präntare
- M.Sc. students: Anton Skorup, Joakim Svensson, Melker Henriksson, Diogo Torres Correia, Fredrik Gölman, Mateus Monteiro Marinheiro, Rafael Serra e Oliveira
- Alumni: Idriss Riouak, Alexandru Dura, Mikhail Shcherbakov (PhD 2024), Diogo Torres Correia (Amanuensis 2024)
Open Positions
- We are continuously looking for PhD students, postdocs, and research engineers Get in touch!
- We are looking for a PhD student at Lund University. Deadline: 30 April 2024 - (Closed)
- We are looking for a PhD student at KTH. Deadline: April 30, 2024 - Apply now (Closed)
- We are looking for a PhD student at Chalmers. Deadline: April 2, 2024 - Apply now (Closed)
Mailing List
If you are interested in keepping tab on our research, feel free to drop an email to SiKai Lu and ask him to add your name on the mailing list. Also, please don’t be hesitant to send an email to shiftleft@kth.se if you feel the need of contacting us.
Publications
- Gleipner-A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities Kreyssig, Bruno, and Alexandre Bartel. The ACM International Conference on the Foundations of Software Engineering(FSE’25), 2025. Distinguished Paper Award, June 2025
- Securing P4 Programs by Information Flow Control Anoud Alshnakat, Amir M. Ahmadian, Musard Balliu, Roberto Guanciale, Mads Dam. Computer security foundations symposium(CSF’25),June 2025
- Dynamic Dependency-Based Purity Checking Anton Risberg Alaküla, Niklas Fors, Christoph Reichenbach. The ACM SIGPLAN International Conference on Software Language Engineering (SLE’25), June 2025
- IntraJ: an on-demand framework for intraprocedural Java code analysis Idriss Riouak, Niklas Fors, Görel Hedin, Christoph Reichenbach. International Journal on Software Tools for Technology Transfer(STTT’25), January 2025.
- Guidelines for Supporting Software Engineers in Developing Secure Web Applications Klara Svensson, Drake Axelrod, Mazen Mohamad & Rebekka Wohlrab. International Conference on Product-Focused Software Process Improvement(PROFES’24$), Best Paper Award, November 2024.
- Efficient Demand Evaluation of Fixed-Point Attributes using Static Analysis Idriss Riouak, Niklas Fors, Jesper Öqvist, Görel Hedin, Christoph Reichenbach. the International Conference on Software Language Engineering(SLE’2024), 2024. Distinguished Paper Award and Distinguished Artifact Award, October 2024.
- Meta-Adaptation Goals: Leveraging Feedback Loop Requirements for Effective Self-Adaptation Groner, Raffaela and Caldas, Ricardo Diniz and Wohlrab, Rebekka. In 2024 IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion (ACSOS-C’24), September 2024.
- GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes Eric Cornelissen, Mikhail Shcherbakov, Musard Balliu. Usenix Security Symposium (Usenix Sec’24), August 2024.
- Security Properties through the Lens of Modal Logic Matvey Soloviev, Musard Balliu, Roberto Guanciale. Computer security foundations symposium(CSF’24),July 2024
- Increasing the Confidence in Security Assurance Cases using Game Theory Antonia Welzel, Rebekka Wohlrab, Mazen Mohamad. The 19th International Conference on Availability, Reliability and Security (ARES’24), July 2024.
- Analyzing Prerequisites of known Deserialization Vulnerabilities on Java Applications Bruno Kreyßig, Alexandre Bartel. International Conference on Evaluation and Assessment in Software Engineering (EASE’24), Distinguished Paper Award, June 2024.
- Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis Mikhail Shcherbakov, Paul Moosbrugger, Musard Balliu. The Web Conference (WWW’24), May 2024.
- Clog: A Declarative Language for C Static Code Checkers Dura, Alexandru and Reichenbach, Christoph. The 33rd ACM SIGPLAN International Conference on Compiler Construction(CC’24), Februrary 2024.
- JavaDL: Automatically Incrementalizing Java Bug Pattern Detection Alexandru Dura, Christoph Reichenbach, Emma Söderberg. in Proceedings of the ACM on Programming Languages (OOPSLA’21), 2021
Software and Datasets
- Dasty
- Silent Spring
- Dataset of Server-Side Prototype Pollution vulnerabilities
- Clog
- JavaDL
- ExtendJ Extensible Java Compiler
Supporting Institutions