Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries

Duan, Ruian; Bijlani, Ashish; Yang, Ji; Alrawi, Omar; Xiong, Yiyuan; Ike, Moses; Saltaformaggio, Brendan; Lee, Wenke

doi:10.14722/ndss.2019.23126

Cited by 31 publications

(27 citation statements)

References 45 publications

(66 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, we determined that the function-level granularity was most balanced: reasonable scalability (see Section V-C), fewer false positives and false negatives than the line-level and filelevel granularity, respectively (the benefits of the function-level granularity have been discussed in previous studies [4], [5], [10], [15], specifically, VUDDY [4] introduced the scalability and accuracy comparisons between function-units and other units in detail).…”

Section: Discussionmentioning

confidence: 99%

“…As the term "OSS reuse" refers to utilizing all or some OSS functionalities [5], [13], [14], we determined that function units are more appropriate for detecting various OSS reuse patterns compared to other units. With less granularity (e.g., a file), Ce n t r i s can identify components faster than when using function units, however, Ce n t r i s may miss partial reuses especially when only some functions in a file were reused in the target software (the benefits of function units have been discussed in previous studies [4], [5], [10], [15]). In light of this, Ce n t r i s extracts functions from all versions of the OSS in our dataset using a function parser (see Section IV), and performs lightweight text preprocessing to normalize the function by removing comments, tabs, linefeed, and whitespaces, which are easy to change but do not affect program semantics.…”

Section: A Overviewmentioning

confidence: 99%

See 1 more Smart Citation

CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse

Woo¹,

Park²,

Kim

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Open-source software (OSS) is widely reused as it provides convenience and efficiency in software development. Despite evident benefits, unmanaged OSS components can introduce threats, such as vulnerability propagation and license violation. Unfortunately, however, identifying reused OSS components is a challenge as the reused OSS is predominantly modified and nested. In this paper, we propose CENTRIS, a precise and scalable approach for identifying modified OSS reuse. By segmenting an OSS code base and detecting the reuse of a unique part of the OSS only, CENTRIS is capable of precisely identifying modified OSS reuse in the presence of nested OSS components. For scalability, CENTRIS eliminates redundant code comparisons and accelerates the search using hash functions. When we applied CENTRIS on 10,241 widely-employed GitHub projects, comprising 229,326 versions and 80 billion lines of code, we observed that modified OSS reuse is a norm in software development, occurring 20 times more frequently than exact reuse. Nonetheless, CENTRIS identified reused OSS components with 91% precision and 94% recall in less than a minute per application on average, whereas a recent clone detection technique, which does not take into account modified and nested OSS reuse, hardly reached 10% precision and 40% recall.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: A Overviewmentioning

confidence: 99%

CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse

Woo¹,

Park²,

Kim

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…One way of obtaining the list of compiled source files is to hook the build process (Duan et al 2019). Taking into account the low success rate of auto-build (Shahkar 2016;Yuan et al 2019;Duan et al 2017) and the very time-consuming manual build, we inventively use clustering analysis (K-means Clustering 2020) and decision tree (Decision tree 2020) to predict compiled source files and extract features from them.…”

Section: How To Design Detection Methods To Improve the Precision Of Version Identification?mentioning

confidence: 99%

“…Compilation-related files can be obtained by hooking the build process as done in autopatch (Duan et al 2019). For the purpose of version identification, we need to build multiple OSS projects.…”

Section: Compilation-related Filesmentioning

confidence: 99%

B2SMatcher: fine-Grained version identification of open-Source software in binary files

Ban

Xiao

et al. 2021

Cybersecur

View full text Add to dashboard Cite

Codes of Open Source Software (OSS) are widely reused during software development nowadays. However, reusing some specific versions of OSS introduces 1-day vulnerabilities of which details are publicly available, which may be exploited and lead to serious security issues. Existing state-of-the-art OSS reuse detection work can not identify the specific versions of reused OSS well. The features they selected are not distinguishable enough for version detection and the matching scores are only based on similarity.This paper presents B2SMatcher, a fine-grained version identification tool for OSS in commercial off-the-shelf (COTS) software. We first discuss five kinds of version-sensitive code features that are trackable in both binary and source code. We categorize these features into program-level features and function-level features and propose a two-stage version identification approach based on the two levels of code features. B2SMatcher also identifies different types of OSS version reuse based on matching scores and matched feature instances. In order to extract source code features as accurately as possible, B2SMatcher innovatively uses machine learning methods to obtain the source files involved in the compilation and uses function abstraction and normalization methods to eliminate the comparison costs on redundant functions across versions. We have evaluated B2SMatcher using 6351 candidate OSS versions and 585 binaries. The result shows that B2SMatcher achieves a high precision up to 89.2% and outperforms state-of-the-art tools. Finally, we show how B2SMatcher can be used to evaluate real-world software and find some security risks in practice.

show abstract

“…None of the above solutions focuses on patching third-party libraries inside user apps. OSSPATCHER [23] targets at third-party libraries, but only open-sourced C/C++ libraries are concerned. There are also more works [24], [26] that automatically generate patches from source code.…”

Section: B Software Patching Techniquesmentioning

confidence: 99%

Up-To-Crash: Evaluating Third-Party Library Updatability on Android

Huang

Borges

Bugiel

et al. 2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Buggy and flawed third-party libraries increase their host app's attack surface and put the users' privacy at risk. To avert this risk, libraries have to be kept updated to their newest versions by the app developers that integrate them into their projects. Recent researches revealed that the prevalence of outdated third-party libraries in Android apps is indeed a rampant problem, but also suggested that there is a great opportunity for drop-in replacements of outdated libraries, which would not even require cooperation by the app developers to update the libraries. However, all those conclusions are based on static app analysis, which can only provide an abstract view.In this work, we extend the updatability analysis to the runtime of apps. We implement a solution to update third-party libraries with drop-in replacements by their newer versions. To verify the feasibility of this developer-independent update mechanism, we dynamically test 3,000 real world apps for 3 popular libraries (78 library versions) for runtime failures stemming from incompatible library updates. To investigate the updatability of libraries in-depth, exploration enhanced dynamic testing is adopted to monitor the runtime behaviors of 15 apps before and after library updating. From our test, we find that the prior reported updatability rate is under real conditions overestimated by a factor of 1.57-2.06. Through root cause analysis, we find that the underlying problems prohibiting easy updates are intricate, such as deprecated functions, changed data structures, or entangled dependencies between different libraries and even the host app. We think our results not only put a more realistic light on the library updatability problem in Android, but also provide valuable insights for future solutions that provide automatic library updates or that try to support the app developers in better maintaining their external dependencies.

show abstract

Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries

Cited by 31 publications

References 45 publications

CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse

CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse

B2SMatcher: fine-Grained version identification of open-Source software in binary files

Up-To-Crash: Evaluating Third-Party Library Updatability on Android

Contact Info

Product

Resources

About