Third-party software components like Log4J accelerate software application development but introduce substantial risk. These components have led to many software supply chain attacks. These attacks succeed because third-party software components are implicitly trusted in an application. Although several security defenses exist to reduce the risks from third-party software components, none of them fulfills the full set of requirements needed to defend against common attacks. No individual solution prevents malicious access to operating system resources, is dependency-aware, and enables the discovery of least privileges, all with low runtime costs. Consequently, they cannot prevent software supply chain attacks. This paper proposes applying the NIST Zero Trust Architecture to software applications. Our Zero Trust Dependencies concept applies the NIST ZTA principles to an application's dependencies. First, we assess the expected effectiveness and feasibility of Zero Trust Dependencies using a study of third-party software components and their vulnerabilities. Then, we present a system design, ZTDSYS, that enables the application of Zero Trust Dependencies to software applications and a prototype, ZTDJAVA, for Java applications. Finally, with evaluations on recreated vulnerabilities and realistic applications, we show that ZTDJAVA can defend against prevalent vulnerability classes, introduces negligible cost, and is easy to configure and use.

翻译：[translated abstract in Chinese] 第三方软件组件（如Log4J）加速了软件应用开发，但同时也引入了重大风险。这些组件已导致多起软件供应链攻击。攻击成功的原因在于第三方软件组件在应用中被隐式信任。尽管存在多种安全防御措施来降低第三方软件组件带来的风险，但没有一种方案能满足抵御常见攻击所需的全部要求。没有任何单一解决方案能在预防对操作系统资源的恶意访问、具备依赖感知能力、支持最小权限发现的同时，保持较低的运行时开销。因此，它们无法阻止软件供应链攻击。本文提出将NIST零信任架构应用于软件应用。我们的零信任依赖概念将NIST ZTA原则应用于应用的依赖项。首先，我们通过研究第三方软件组件及其漏洞，评估零信任依赖的预期有效性和可行性。随后，我们提出系统设计ZTDSYS，支持将零信任依赖应用于软件应用，并构建适用于Java应用的原型系统ZTDJAVA。最后，通过对复现漏洞和实际应用进行评估，我们证明ZTDJAVA能够防御常见漏洞类别，引入可忽略的运行时开销，且易于配置和使用。