From 32e5fa64294e1e77b59115fe4c8c87792de775d1 Mon Sep 17 00:00:00 2001 From: Aman Sharma Date: Mon, 1 Sep 2025 10:55:17 -0400 Subject: [PATCH 1/2] add AOT Cache reader topic --- master-thesis.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/master-thesis.md b/master-thesis.md index ad19a9f..22efc71 100644 --- a/master-thesis.md +++ b/master-thesis.md @@ -6,6 +6,18 @@ title: Open Master Thesis Topics in Project Chains Project Chains hosts master's students for their theses, here are available topics. See [main page](/) for completed theses. +### Ahead of Time Compilation Cache Analysis +Contact: Aman Sharma + +[JEP 483](https://openjdk.org/jeps/483) introduced a performance optimization technique to improve startup time. +It allowed creating an "AOT" cache which stores the compiled versions of commonly loaded classfiles. +In this thesis, we will explore the commonly loaded classfile by implementing an AOT Cache reader. +Next, we can analyze how are synthetically generated classfiles handled. +Another question to investigate is if this cache can be repurposed as an allowlist of classes similar to the concept of BOMI in SBOM.exe [1]. + +[1] [SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java](https://arxiv.org/abs/2407.00246) + +

Trust Assumptions and Threats in Build Attestation System

Contact: Larissa Schmid

Description: From 7337cc8c5fff5a401b454df7e67f99a37de305bf Mon Sep 17 00:00:00 2001 From: Aman Sharma Date: Mon, 1 Sep 2025 11:12:46 -0400 Subject: [PATCH 2/2] add follow-up of maven class hijacking --- master-thesis.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/master-thesis.md b/master-thesis.md index 22efc71..732b3ae 100644 --- a/master-thesis.md +++ b/master-thesis.md @@ -6,6 +6,27 @@ title: Open Master Thesis Topics in Project Chains Project Chains hosts master's students for their theses, here are available topics. See [main page](/) for completed theses. +### How prevalent is Maven Class Hijacking? +Contact: Aman Sharma, Frank Reyes Garçia + +Maven Class Hijacking [1] is a supply chain attack where a legitimiate Java class deep in the dependency tree can act malicious by shadowing a legitimate Java class that one declares directly. +We want to explore how prevalent the condition "infection dependency precedes the gadget dependency" is. +In this thesis, we will construct a dataset of Maven projects to answer the above question. +The two criteria of the dataset can be 1) duplication of fully qualified names of class across two different dependencies. +2) dependencies that could become infectious by analyzing social engineering proxies such as no commits in the past 10 years. +In the paper [1], we also recommend a mitigation for this attack. +We would like to know how prevalent this mitigation is and in what cases it can break the build leading to a false-positive. + +[1] [Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order](https://arxiv.org/abs/2407.18760) + +Related Work: + +[2] [Will Dependency Conflicts Affect My Program's Semantics?](https://ieeexplore.ieee.org/document/9350237) + +[3] [DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers](http://arxiv.org/abs/2402.18401) + + + ### Ahead of Time Compilation Cache Analysis Contact: Aman Sharma