Reagent: Catalyzing Bad Actor Discovery in Open Source

Bio

Alice Bibaud is a Cybersecurity Engineer at Margin Research, specializing in backend engineering and data science. She works with her colleagues every day to catch bad actors in open source, a space she hopes to spread awareness about through her work at Margin.

Abstract

As the open source software (OSS) landscape continues to expand, it becomes a larger playground for cyber adversaries, posing a remarkable challenge for maintaining national cybersecurity. In this enlightening and (hopefully) occasionally humorous talk, we delve into Reagent, Margin Research’s trailblazing open source analysis platform, and how it leverages socio-technical analytics to unveil suspicious activities within OSS projects.

Reagent represents a significant evolution in analyzing the complex social dynamics of software development. By integrating graph databases with specialized algorithms with Python heuristics, Reagent transforms how organizations detect and avert threats lurking within vast volumes of OSS contributions. Illustrating its cutting-edge functionalities, we share captivating case studies, such as the infamous "XZ Hack”, revealing how Reagent pinpointed bad actors amidst tens of thousands of contributors through adversarial correlation techniques, natural language processing, and anomaly detection.

Guided by an automated approach that analyzes cross-repository metadata using the latest and greatest algorithmic technologies, Reagent not only detects low-profile, yet high-risk users, identifies how palatable a threat is to adversaries, and discovers one-off commits made by aliased git users, but also shines the spotlight on suspicious code contributions and maintainers. From in-depth timezone analysis, to drive-by commit discovery, to sentiment analysis in messages to high-level maintainers, we prove that having the right toolbox can expose even the most sophisticated false users behind supply chain intrusions.

Through the lens of technical storytelling, you’ll see not just the software's prowess, but also how the human touch remains indispensable to bad actor discovery. Reagent's versatile queries unearth potential concerns within email domains, timezone spoofing, and coding behavior purity, allowing the integration of humor, such as the bewildering choices of developers to commit code in the future and maintain widely used packages under the moniker “meow”, without losing its grip on critical analytics. Additionally, we aim to highlight the ongoing research in vulnerability and bad actor discovery within the open source community by showing that we’re continually modifying our approach in response to new threats, as we either discover them in our database, or read about them on the news.

In our concluding reflections, the talk emphasizes the vital role of platforms like Reagent in safeguarding OSS integrity. With real-world applications and a dash of wit, we affirm that combating cyber threats in the digital age requires not just powerful algorithms, but creative and strategic thinking.