Saved in:
Bibliographic Details
Main Authors: Pappas, Brent, Gazzillo, Paul
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.08995
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914254740783104
author Pappas, Brent
Gazzillo, Paul
author_facet Pappas, Brent
Gazzillo, Paul
contents Open source C code underpins society's computing infrastructure. Decades of work has helped harden C code against attackers, but C projects do not consist of only C code. C projects also contain build system code for automating development tasks like compilation, testing, and packaging. These build systems are critcal to software supply chain security and vulnerable to being poisoned, with the XZ Utils and SolarWinds attacks being recent examples. Existing techniques try to harden software supply chains by verifying software dependencies, but such methods ignore the build system itself. Similarly, classic software security checkers only analyze and monitor program code, not build system code. Moreover, poisoned build systems can easily circumvent tools for detecting program code vulnerabilities by disabling such checks. We present development phase isolation, a novel strategy for hardening build systems against poisoning by modeling the information and behavior permissions of build automation as if it were program code. We have prototyped this approach as a tool called Foreman, which successfully detects and warns about the poisoned test files involved in the XZ Utils attack. We outline our future plans to protect against pipeline poisoning by automatically checking development phase isolation. We envision a future where build system security checkers are as prevalent as program code checkers.
format Preprint
id arxiv_https___arxiv_org_abs_2601_08995
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Build Code is Still Code: Finding the Antidote for Pipeline Poisoning
Pappas, Brent
Gazzillo, Paul
Software Engineering
Open source C code underpins society's computing infrastructure. Decades of work has helped harden C code against attackers, but C projects do not consist of only C code. C projects also contain build system code for automating development tasks like compilation, testing, and packaging. These build systems are critcal to software supply chain security and vulnerable to being poisoned, with the XZ Utils and SolarWinds attacks being recent examples. Existing techniques try to harden software supply chains by verifying software dependencies, but such methods ignore the build system itself. Similarly, classic software security checkers only analyze and monitor program code, not build system code. Moreover, poisoned build systems can easily circumvent tools for detecting program code vulnerabilities by disabling such checks. We present development phase isolation, a novel strategy for hardening build systems against poisoning by modeling the information and behavior permissions of build automation as if it were program code. We have prototyped this approach as a tool called Foreman, which successfully detects and warns about the poisoned test files involved in the XZ Utils attack. We outline our future plans to protect against pipeline poisoning by automatically checking development phase isolation. We envision a future where build system security checkers are as prevalent as program code checkers.
title Build Code is Still Code: Finding the Antidote for Pipeline Poisoning
topic Software Engineering
url https://arxiv.org/abs/2601.08995