An Analysis of the Arduino Software Supply Chain
Date
2023-05
Authors
Smith, Cheyenne
Major Professor
Zambreno, Joseph
Advisor
Committee Member
Journal Title
Journal ISSN
Volume Title
Publisher
Altmetrics
Abstract
There are hundreds, if not thousands, of microcontrollers (MC) to choose from in the marketplace today when it comes to building various projects. One of the most common microcontrollers that most beginner programmers start with is Arduino. Most new programmers to Arduino tend to add and download libraries to get their projects working without knowing what they are downloading from those library. This can cause large amounts of dependent libraries to be downloaded for that source library. Creating a complex software supply chain that can have some potentially vulnerable links within the supply chain. In this paper, we explore how many kinds of dependencies occur between Arduino libraries, both official and community developed. We explored how the Arduino libraries themselves are set up within their Git repositories to declare dependencies to other libraries. We then investigated those dependent libraries to see if there are any other dependencies for that library. Once we investigated all the dependencies of the libraries, we also investigated the header files of each library for any more dependencies that are within those files. Each dependency found adds more complexity of locations that a hacker could implement an attack from damaging any project that uses the corrupt library. We also investigated the amount of contributors to a library to get a scale of how many authors worked on each supply chain. Also, looked at the total number of lines of code to get an idea of the size of each supply chain. Finally, we looked at the most recent commit date of each library to find potential outdated libraries within a supply chain.
Series Number
Journal Issue
Is Version Of
Versions
Series
Academic or Administrative Unit
Type
creative component
Comments
Rights Statement
Copyright
2023