Characterizing Build Compromises Through Vulnerability Disclosure Analysis
Abstract: The software build process transforms source code into deployable artifacts, representing a critical yet vulnerable stage in software development. Build infrastructure security poses unique challenges: the complexity of multi-component systems (source code, dependencies, build tools), the difficulty of detecting intrusions during compilation, and prevalent build non-determinism that masks malicious modifications. Despite these risks, the security community lacks a systematic understanding of build-specific attack vectors, hindering effective defense design. This paper presents an empirically-derived taxonomy of attack vectors targeting the build process, constructed through a large-scale CVE mining (of 621 vulnerability disclosures from the NVD database). We categorize attack vectors by their injection points across the build pipeline, from source code manipulation to compiler compromise. To validate our taxonomy, we analyzed 168 documented software supply chain attacks, identifying 40 incidents specifically targeting build phases. Our analysis reveals that 23.8\% of supply chain attacks exploit build vulnerabilities, with dependency confusion and build script injection representing the most prevalent vectors. Dataset available at: https://anonymous.4open.science/r/Taxonomizing-Build-Attacks-8BB0.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.