ChainFuzz: Exploiting Upstream Vulnerabilities in Open-Source Supply Chains

Software supply chain attacks pose an increasingly severe threat to the security of downstream software worldwide. A common method to mitigate these risks is Software Composition Analysis (SCA), which helps developers identify vulnerable dependencies. However, studies show that popular SCA approaches often suffer from high false positive rates. As a result, developers spend significant time manually validating these alerts, which delays the detection and remediation of genuinely exploitable upstream vulnerabilities.

In this paper, we propose ChainFuzz, an automated approach for validating upstream vulnerabilities in downstream software by generating Proof-of-Concepts (PoCs). To achieve this, ChainFuzz addresses three key challenges. First, intra-layer code and constraints. Downstream software introduces custom code and sanity checks that significantly alter the triggering paths and conditions of upstream vulnerabilities. Second, inter-layer dependencies. Software supply chains often involve cross-layer control-flow and data-flow dependencies between conditional statements across different layers. Third, long supply chains. Transitive dependencies in long chains result in intricate exploitation paths, making it challenging to explore large code spaces and handle deeply nested constraints effectively.

We comprehensively evaluate ChainFuzz using our dataset, which comprises 66 unique vulnerability and supply chain combinations. Our results demonstrate its effectiveness and practicality in generating PoCs for both direct and transitive vulnerable dependencies. Additionally, we compare ChainFuzz with representative fuzzing tools: AFLGo, AFL++, and NestFuzz, highlighting its superior performance in downstream PoC generation.