Third-party libraries like Log4j accelerate software application development but introduce substantial risk. Vulnerabilities in these libraries have led to Software Supply Chain (SSC) attacks that compromised resources within the host system. These attacks benefit from current application permissions approaches: thirdparty libraries are implicitly trusted in the application runtime. An application runtime designed with Zero-Trust Architecture (ZTA) principles secure access to resources, continuous monitoring, and least-privilege enforcement could mitigate SSC attacks, as it would give zero implicit trust to these libraries. However, no individual security defense incorporates these principles at a low runtime cost. This paper proposes Zero-Trust Dependencies to mitigate SSC vulnerabilities: we apply the NIST ZTA to software applications. First, we assess the expected effectiveness and configuration cost of Zero-Trust Dependencies using a study of third-party software libraries and their vulnerabilities. Then, we present a system design, ZTD$_{SYS}$, that enables the application of Zero-Trust Dependencies to software applications and a prototype, ZTD$_{JAVA}$, for Java applications. Finally, with evaluations on recreated vulnerabilities and realistic applications, we show that ZTD$_{JAVA}$ can defend against prevalent vulnerability classes, introduces negligible cost, and is easy to configure and use.

翻译：Log4j等第三方库加速了软件应用的开发，但也引入了显著风险。这些库中的漏洞已导致软件供应链攻击，损害了宿主系统内的资源。此类攻击利用了当前应用程序权限管理方法的缺陷：第三方库在应用运行时被隐式信任。基于零信任架构原则设计的应用运行时，通过安全的资源访问、持续监控和最小权限执行，可以缓解软件供应链攻击，因为它不会赋予这些库任何隐式信任。然而，目前尚无单一的安全防御机制能以较低的运行时成本整合这些原则。本文提出零信任依赖以缓解软件供应链漏洞：我们将NIST零信任架构应用于软件应用。首先，我们通过对第三方软件库及其漏洞的研究，评估了零信任依赖的预期有效性和配置成本。接着，我们提出了一个支持零信任依赖应用于软件系统的系统设计ZTD$_{SYS}$，以及一个面向Java应用的原型ZTD$_{JAVA}$。最后，通过对复现漏洞和实际应用的评估，我们证明ZTD$_{JAVA}$能够防御常见的漏洞类型，引入的代价可忽略不计，且易于配置和使用。