Macaron

Macaron is a supply chain security analysis tool which focuses on the build integrity of an artifact and the artifact dependencies

Project Details

Macaron

Macaron

Macaron is a supply chain security analysis tool which focuses on the build integrity of an artifact and the artifact dependencies

Project Overview

Macaron is a supply chain security analysis tool from Oracle Labs, developed to identify and protect against software supply chain attacks targeting build processes. Macaron detects poorly maintained or malicious packages using a comprehensive set of checks within an extensible framework. Its key features include a source code finder, static analysis of CI/CD infrastructure, and detection of malicious behaviors. Additionally, Macaron provides detailed metadata to help users evaluate the reliability of its findings. The framework also includes a policy engine for integration into build pipelines, facilitating continuous monitoring of build processes and alerting users to any anomalies.

Learn more and get started with Macaron on GitHub, and check out the various tutorials available on our documentation website.

 

Principal Investigator

Behnaz Hassanshahi

Principal Researcher

Behnaz Hassanshahi is a Principal Researcher at Oracle Labs Australia. In her current role, Behnaz is leading the open-source project Macaron, an analysis tool for software supply chain security. She is also working on static security analysis of Oracle Cloud Infrastructure.

In her previous project, Behnaz was the technical lead of Gelato, a Dynamic Application Security Testing (DAST) tool that analyses client-side JavaScript applications to find security vulnerabilities both at the client and server side of web applications. Gelato is now used as a product in Oracle. During the past few years, Behnaz has also explored various static and dynamic analysis as well as fuzzing techniques to analyse client-side and server-side JavaScript programs.

This is her second stint at Oracle Labs. When Behnaz worked here in 2015 as an intern in the Java Vulnerability Detection team, she designed an adaptive points-to framework that scales over OpenJDK.

After graduating from Amirkabir University of Technology (Tehran) in 2010 with a Bachelor of Science (Software Engineering), Behnaz did her PhD at the National University of Singapore. While at NUS, she was also awarded the Singapore International Graduate Award, and was a member of the Security Research Group.

Her thesis topic – Characterization, Detection and Exploitation of Injection Attacks in Android – and the security research prepared her well for her work at Oracle.

Behnaz conducts research in the area of  program analysis and its intersection with computer security that will improve the security of large complex software.

Education:

* PhD in Computer Science, 2011-2016, National University of Singapore

* BSc in Software Engineering, 2006–2010, Amirkabir University of Technology

Recent and upcoming events:

USENIX Security'25 (PC member)

Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED) 2024 (PC member)

USENIX Security'24 (PC member)

USENIX Security'23 (PC member) and received a Noteworthy Reviewer award

SecDev'22 (Publicity Chair)

ISSTA'22 (PC member)

iMentor, CCS'21 (Panelist)

SCAM'21 - Engineering Track (Program Chair)

ACSAC'21 (PC member)

SCAM'20 (PC member)

ACSAC'20 (PC member)

Publications