Skip to content

Two master thesis topics #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
monperrus merged 2 commits into from
Sep 2, 2025
Merged

Two master thesis topics #71

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
32e5fa6
add AOT Cache reader topic
algomaster99 Sep 1, 2025
7337cc8
add follow-up of maven class hijacking
algomaster99 Sep 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions master-thesis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,39 @@ title: Open Master Thesis Topics in Project Chains

Project Chains hosts master's students for their theses, here are available topics. See [main page](/) for completed theses.

### How prevalent is Maven Class Hijacking?
Contact: Aman Sharma, Frank Reyes Garçia

Maven Class Hijacking [1] is a supply chain attack where a legitimiate Java class deep in the dependency tree can act malicious by shadowing a legitimate Java class that one declares directly.
We want to explore how prevalent the condition "infection dependency precedes the gadget dependency" is.
In this thesis, we will construct a dataset of Maven projects to answer the above question.
The two criteria of the dataset can be 1) duplication of fully qualified names of class across two different dependencies.
2) dependencies that could become infectious by analyzing social engineering proxies such as no commits in the past 10 years.
In the paper [1], we also recommend a mitigation for this attack.
We would like to know how prevalent this mitigation is and in what cases it can break the build leading to a false-positive.

[1] [Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order](https://arxiv.org/abs/2407.18760)

Related Work:

[2] [Will Dependency Conflicts Affect My Program's Semantics?](https://ieeexplore.ieee.org/document/9350237)

[3] [DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers](http://arxiv.org/abs/2402.18401)



### Ahead of Time Compilation Cache Analysis
Contact: Aman Sharma

[JEP 483](https://openjdk.org/jeps/483) introduced a performance optimization technique to improve startup time.
It allowed creating an "AOT" cache which stores the compiled versions of commonly loaded classfiles.
In this thesis, we will explore the commonly loaded classfile by implementing an AOT Cache reader.
Next, we can analyze how are synthetically generated classfiles handled.
Another question to investigate is if this cache can be repurposed as an allowlist of classes similar to the concept of BOMI in SBOM.exe [1].

[1] [SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java](https://arxiv.org/abs/2407.00246)


<h3 >Trust Assumptions and Threats in Build Attestation System</h3>
Contact: Larissa Schmid
<p>Description:
Expand Down