ShiftLeft: Securing the Software Supply Chain by Code-centric Analysis

The ShiftLeft project seeks to transform the security of Software Supply Chains (SSCs) by introducing a declarative code-centric platform supporting continuous security analysis. It incorporates foundational frameworks, novel abstractions combining static and dynamic techniques, and human-in-the-loop feedback with AI-driven prioritization metrics. The project’s objectives include developing expressive security models, building a scalable security analysis platform, and creating an open-source security dashboard integrated into the software development lifecycle for real-world SSCs.

ShiftLeft is funded by the Wallenberg AI, Autonomous Systems and Software Program (WASP) via the NEST (Novelty, Excellence, Synergy, and Teams) instrument. The project is led by the PI, Musard Balliu (KTH Royal Institute of Technology). The co-PIs are Alexandre Bartel (Umeå University), Christoph Reichenbach (Lund University), David Sands, and Rebekka Wohlrab (Chalmers University of Technology). The industrial partners are Cparta Cyber Defense, Debricked, Ericsson, Recorded Futures, and SEB. Read more about the project here.

News

• We are excited to host our second workshop for the ShiftLeft project on October 27, 2025, at Chalmerska Hus. Read More.
• Janek Stoppkotte joined the project as a doctoral student. He will be supervised by David Sands.
• Efficient Demand Evaluation of Fixed-Point Attributes using Static Analysis received both “Distinguished Paper Award” and “Distinguished Artifact Award” at the ACM SIGPLAN International Conference on Software Language Engineering (SLE) 2024.
• Guidelines for Supporting Software Engineers in Developing Secure Web Applications received the best paper award at the International Conference on Product-Focused Software Process Improvement.
• Gleipner-A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities received with FSE 2025 Distinguished paper award.
• Yufei Wu joined the project as a doctoral student. She will be supervised by Alexandre Bartel.
• Erik Söderholm Präntare joined the project as a doctoral student. He will be supervised by Christoph Reichenbach.
• We are excited to host a half-day workshop on web and software supply chain security on October 31, 2024. Read More
• We are excited to host the kickoff workshop for the ShiftLeft project on October 25, 2024, at Cybercampus Sverige. Read More
• SiKai Lu joined the project as a doctoral student. He will be supervised by Musard Balliu.
• Raffaela Groner joined the project as a Postdoctoral researcher hosted by Rebekka Wohlrab.
• ShiftLeft’s PI Rebekka Wohlrab awarded by WASP as Alumni of the Year 2023 for outstanding research in the engineering of self-adaptive systems. Congratulations Rebekka.

Members

• Principal Investigators: Musard Balliu, Alexandre Bartel, Christoph Reichenbach, David Sands, Rebekka Wohlrab
• PostDocs: Mohammad Ahmadpanah, Timothé Riom
• PhD students: Joel Nyholm , Anton Risberg Alaküla, Momina Rizwan, Yufei Wu, Bruno Kreyßig, Sabine Houy, Eric Cornelissen, SiKai Lu, Erik Söderholm Präntare, Janek Stoppkotte
• M.Sc. students: Anton Skorup, Joakim Svensson, Melker Henriksson, Fredrik Gölman, Rafael Serra e Oliveira
• Alumni: Idriss Riouak (PhD 2024), Mikhail Shcherbakov (PhD 2024), Alexandru Dura (PhD 2025), Diogo Torres Correia (Amanuensis 2024, MSc 2025), Raffaela Groner (PostDoc 2024-2025), Mateus Monteiro Marinheiro (MSc 2025)

Publications

Theses

• Fully Declarative Specification of Static Code Checkers, Alexandru Dura, PhD Thesis, May 2025.
• To Secure a Flow: From Specification to Enforcement of Information Flow Control, Amir M. Ahmadian, PhD Thesis, March 2025.
• Code-Reuse Attacks in Managed Programming Languages and Runtimes, Mikhail Shcherbakov, PhD Thesis, November 2024.
• Towards Declarative Specification of Static Analysis for Programming Tools, Idriss Riouak, PhD Thesis, November 2024.

Research Papers

2025

• NodeShield: Runtime Enforcement of Security-Enhanced SBOMs for Node.js Eric Cornelissen, Musard Balliu. ACM Conference on Computer and Communication Security (CCS’25), 2025.
• Trust and Verify: Formally Verified and Upgradable Trusted Functions Marcus Birgersson, Cyrille Artho, Musard Balliu. International Conference on Software Maintenance and Evolution (ICSME’25), 2025.
• TAPShield: Securing Trigger-Action Platforms against Strong Attackers Mojtaba Moazen, Nicolae Paladi, Adnan Jamil Ahsan, Musard Balliu. IEEE European Symposium on Security and Privacy (EuroS&P’25), 2025.
• Evaluating the maintainability of Forward-Porting vulnerabilities in fuzzer benchmarks Timothée Riom, Sabine Houy, Bruno Kreyssig, Alexandre Bartel. International Conference on Software Maintenance and Evolution (ICSME’25), 2025.
• Gleipner: A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities Bruno Kreyssig, Alexandre Bartel. ACM International Conference on the Foundations of Software Engineering (FSE’25), 2025 [Distinguished Paper Award 🏆].
• Securing P4 Programs by Information Flow Control Anoud Alshnakat, Amir M. Ahmadian, Musard Balliu, Roberto Guanciale, Mads Dam. Computer Security Foundations Symposium (CSF’25), 2025.
• Dynamic Dependency-Based Purity Checking Anton Risberg Alaküla, Niklas Fors, Christoph Reichenbach. ACM SIGPLAN International Conference on Software Language Engineering (SLE’25), 2025.
• IntraJ: An on-demand framework for intraprocedural Java code analysis Idriss Riouak, Niklas Fors, Görel Hedin, Christoph Reichenbach. International Journal on Software Tools for Technology Transfer (STTT’25), 2025.

2024

• Guidelines for Supporting Software Engineers in Developing Secure Web Applications Klara Svensson, Drake Axelrod, Mazen Mohamad, Rebekka Wohlrab. International Conference on Product-Focused Software Process Improvement (PROFES’24), 2024 [Best Paper Award 🏆].
• Efficient Demand Evaluation of Fixed-Point Attributes using Static Analysis Idriss Riouak, Niklas Fors, Jesper Öqvist, Görel Hedin, Christoph Reichenbach. International Conference on Software Language Engineering (SLE’24), 2024 [Distinguished Paper Award and Distinguished Artifact Award 🏆].
• Meta-Adaptation Goals: Leveraging Feedback Loop Requirements for Effective Self-Adaptation Raffaela Groner, Ricardo Diniz Caldas, Rebekka Wohlrab. IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion (ACSOS-C’24), 2024.
• GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes Eric Cornelissen, Mikhail Shcherbakov, Musard Balliu. USENIX Security Symposium (USENIX Sec’24), 2024.
• Security Properties through the Lens of Modal Logic Matvey Soloviev, Musard Balliu, Roberto Guanciale. Computer Security Foundations Symposium (CSF’24), 2024.
• Increasing the Confidence in Security Assurance Cases using Game Theory Antonia Welzel, Rebekka Wohlrab, Mazen Mohamad. International Conference on Availability, Reliability and Security (ARES’24), 2024.
• Analyzing Prerequisites of Known Deserialization Vulnerabilities on Java Applications Bruno Kreyssig, Alexandre Bartel. International Conference on Evaluation and Assessment in Software Engineering (EASE’24), 2024.
• Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis Mikhail Shcherbakov, Paul Moosbrugger, Musard Balliu. The Web Conference (WWW’24), 2024.
• Clog: A Declarative Language for C Static Code Checkers Alexandru Dura, Christoph Reichenbach. ACM SIGPLAN International Conference on Compiler Construction (CC’24), 2024.

Artifacts

• Classa
• NodeShield
• Dasty
• Silent Spring
• Dataset of Server-Side Prototype Pollution vulnerabilities
• Clog
• JavaDL
• ExtendJ Extensible Java Compiler

Contact Us

If you are interested in staying up to date with our research, feel free to email SiKai Lu and ask to be added to the mailing list shiftleft@kth.se. Please feel free to contact us if you would like to get in touch.

Supporting Institutions