The pull-based model in Open-Source Software (OSS) has enabled decentralized collaboration and major advancements, but it also opens the door to supply-chain attacks, where an attacker submits a malicious pull request with the intention of injecting malicious code into the codebase. Once a malicious pull request is merged, all downstream systems depending on the package may be compromised. This paper investigates the problem of assigning pull requests to maintainers in OSS packages from a game-theoretic standpoint. We model the problem as a two-player (defender and attacker) general-sum game with partial observability in which the attacker submits malicious pull requests while the defender assigns pull requests to available maintainers. The model captures critical features such as the availability of the maintainers, their expertise, and the quantity and severity of the pull requests. Many of those features can be publicly inferred. Accordingly, we develop deep reinforcement learning-based algorithms within the Policy-Space Response Oracle (PSRO) framework to derive potent strategies for both players, addressing the complexity of the formulation and the explosion of state and action spaces. We assess the behavior of the derived policies on two real-world Python packages with different sizes. We show that the policies obtained outperform other assignment strategies.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

PuRe Defender: A Game-Theoretic Pull Request Assignment with Deep RL

  • Javad Mokhtari Koushyar,
  • Mina Guirguis,
  • George Atia

摘要

The pull-based model in Open-Source Software (OSS) has enabled decentralized collaboration and major advancements, but it also opens the door to supply-chain attacks, where an attacker submits a malicious pull request with the intention of injecting malicious code into the codebase. Once a malicious pull request is merged, all downstream systems depending on the package may be compromised. This paper investigates the problem of assigning pull requests to maintainers in OSS packages from a game-theoretic standpoint. We model the problem as a two-player (defender and attacker) general-sum game with partial observability in which the attacker submits malicious pull requests while the defender assigns pull requests to available maintainers. The model captures critical features such as the availability of the maintainers, their expertise, and the quantity and severity of the pull requests. Many of those features can be publicly inferred. Accordingly, we develop deep reinforcement learning-based algorithms within the Policy-Space Response Oracle (PSRO) framework to derive potent strategies for both players, addressing the complexity of the formulation and the explosion of state and action spaces. We assess the behavior of the derived policies on two real-world Python packages with different sizes. We show that the policies obtained outperform other assignment strategies.