ShiftLeft: Securing the Software Supply Chain by Code-centric Analysis

The ShiftLeft project seeks to transform the security of Software Supply Chains (SSCs) by introducing a declarative code-centric platform supporting continuous security analysis. It incorporates foundational frameworks, novel abstractions combining static and dynamic techniques, and human-in-the-loop feedback with AI-driven prioritization metrics. The project’s objectives include developing expressive security models, building a scalable security analysis platform, and creating an open-source security dashboard integrated into the software development lifecycle for real-world SSCs.

ShiftLeft is funded by the Wallenberg AI, Autonomous Systems and Software Program (WASP) via the NEST (Novelty, Excellence, Synergy, and Teams) instrument. The project is lead by the PI, Prof. Musard Balliu (KTH Royal Institute of Technology). The co-PIs are Prof. Alexandre Bartel (Umeå University), Prof. Christoph Reichenbach (Lund University), Prof. David Sands and Prof. Rebekka Wohlrab (Chalmers University of Technology). The industrial partners are Cparta Cyber Defense, Debricked, Ericsson, Recorded Futures, and SEB. Read more

News Corner

• We are excited to host a half day workshop on web and software supply chain security on October 31, 2024. Read More
• We are excited to host the kickoff workshop for the ShiftLeft project on October 25, 2024, at Cybercampus Sverige. Read More
• SiKai Lu joined the project as a doctoral student. He will be supervised by Musard Balliu.
• Raffaela Groner joined the project as a Postdoctoral researcher hosted by Rebekka Wohlrab.
• ShiftLeft’s PI Rebekka Wohlrab awarded by WASP as Alumni of the Year 2023 for outstanding research in the engineering of self-adaptive systems. Congratulations Rebekka.

Team ShiftLeft

• Principal Investigators: Musard Balliu, Alexandre Bartel, Christoph Reichenbach, David Sands, Rebekka Wohlrab
• PostDocs: Raffaela Groner, Timothé Riom
• PhD students: Eric Cornelissen, SiKai Lu, Mikhail Shcherbakov, Erik Söderholm Präntare
• Research assistants: Diogo Torres Correia

Open Positions

• We are continuously looking for PhD students, postdocs, and research engineers Get in touch!
• We are looking for a PhD student at Lund University. Deadline: 30 April 2024 - (Closed)
• We are looking for a PhD student at KTH. Deadline: April 30, 2024 - Apply now (Closed)
• We are looking for a PhD student at Chalmers. Deadline: April 2, 2024 - Apply now (Closed)

Mailing List

If you are interested in keepping tab on our research, feel free to drop an email to SiKai Lu and ask him to add your name on the mailing list. Also, please don’t be hesitant to send an email to shiftleft@kth.se if you feel the need of contacting us.

Publications

• Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis Mikhail Shcherbakov, Paul Moosbrugger, Musard Balliu. The Web Conference (WWW’24), 2024.
• GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes Eric Cornelissen, Mikhail Shcherbakov, Musard Balliu. Usenix Security Symposium (Usenix Sec’24), 2024.
• Analyzing Prerequisites of known Deserialization Vulnerabilities on Java Applications Bruno Kreyßig, Alexandre Bartel. International Conference on Evaluation and Assessment in Software Engineering (EASE’24), 2024.
• Clog: A Declarative Language for C Static Code Checkers Alexandru Dura, Christoph Reichenbach. International Conference on Compiler Construction (CC’24), 2024.
• JavaDL: Automatically Incrementalizing Java Bug Pattern Detection Alexandru Dura, Christoph Reichenbach, Emma Söderberg. in Proceedings of the ACM on Programming Languages (OOPSLA’21), 2021

Software and Datasets

• Dasty
• Silent Spring
• Dataset of Server-Side Prototype Pollution vulnerabilities
• Clog
• JavaDL
• ExtendJ Extensible Java Compiler

Supporting Institutions

This site is open source. Improve this page.