Elizabeth Lin

PhD student @ NC State

Research

Context Matters

To appear in at the 2025 USENIX Security Symposium

Software Composition Analysis (SCA) is often discussed in software supply chain security. SCA tools are used to identify vulnerabilities in third-party software.

Some prior work have looked into how SCA tools perform. However, there lacks an understanding of user experience with SCA tools.

  • How are SCA tools integrated into the CI/CD pipeline?
  • What challenges arise when scaling SCA tools to large organizations?
  • How can SCA tools be improved for better vulnerability management?

We talked to 20 industry professionals and discovered a lack of context along the entire SCA deployment process. In short, we find the following:

  • SCA alerts are too generic and lack infrastructure, network configuration, reachability, and exploitability context.
  • Integrating SCA tools into pipelines can halt development if builds are failed on every SCA alert.
  • Scaling SCA across multiple teams and projects can result in communication overhead. Large organizations develop custom tooling around SCA tool results to better manage and triage the alerts.

See my talk @ VulnCon 2025
Context Matters: Qualitative Insights into Developers’ Approaches and Challenges with Software Composition Analysis

UntrustIDE

Distinguished Paper Award @ NDSS Symposium 2024

VS Code is the most popular IDE for developers. In this study we take a look at its extension ecosystem, the marketplace. As the first ecosystem-wide research, we proposed a threat model and identified vulnerabilities within the ecosystem with taint analysis using CodeQL. With our custom CodeQL queries, we identified and verified vulnerabilities and their proof-of-concept exploits for 21 extensions, impacting 6 million users.

Elizabeth Lin, Igibek Koishybayev, Trevor Dunlap, William Enck, and Alexandros Kapravelos. UntrustIDE: Exploiting Vulnerabilities in VS Code Extensions

Don’t want to read the full paper? My short blog post includes an overview of our methods, findings, and an example of how a vulnerable data flow in an extension could lead to code execution.

Also see my talk at NDSS here

Software Bill of Materials (SBoMs)

A grey literature review was conducted on articles relating to the benefits and challenges of SBoMs.

The top 5 benefits and challenges are outlined in the following article.

Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, and Laurie Williams. Software Bills of Materials Are Required. Are We There Yet? IEEE Security & Privacy 21, no. 2 (2023): 82-88.

VFCFinder

A tool that generated the top 5 vulnerable fixing commits for a given security advisory.

VFCFinder used to backfill over 300 missing VFCs in the GitHub Security Advisory (GHSA) database.

Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves. VFCFinder: Seamlessly Pairing Security Advisories and Patches