Modern software stacks are built on open-source components distributed through package managers and automated pipelines. Our work studies how security mechanisms behave in practice, how vulnerabilities propagate through dependency graphs, and how adversaries abuse trust in the supply chain — from forged signatures to compromised package registries.
Package signing is increasingly promoted as a supply-chain integrity control, yet its real-world adoption and enforcement remain poorly understood. This work measures how signature verification is implemented across major package ecosystems, identifying systematic gaps between declared security posture and actual enforcement that attackers can exploit to distribute tampered packages undetected.
Backup systems are a last line of defense against data loss from ransomware and supply-chain attacks, yet empirical data on how users actually configure and rely on them is scarce. This study characterizes real-world backup behavior — revealing mismatches between user assumptions and actual recoverability that undermine the effectiveness of backup-based defenses.
← Back to Research Full publication list