OSSFP: Precise and Scalable C/C++ Third-Party Library Detection using Fingerprinting Functions

Jian, Wu; Xu, Zhengzi; Tang, W.; Zhang, Lyuye; Wu, Yueming; Liu, C. X.; Sun, Kairan; Zhao, Lida; Liu, Yang

doi:10.1109/icse48619.2023.00034

Cited by 7 publications

(4 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, nano_node only reuses 8 functions from leveldb that causes the false positive. Note that the partial TPL reuse is generally the challenge of SCA [24,61,63], and other reasons for false negatives include missing the corresponding source functions due to decompilation errors and the capability of the model to retrieve similar functions.…”

Section: Results and Analysismentioning

confidence: 99%

“…Following previous works [57,61,63], we collect a large number of C/C++ open-source projects by crawling from GitHub repositories and source packages of the GNU/Linux community, and we obtain the dataset consisting of 12,013 TPLs, which is adequate for the SCA task [61]. Next, we extract 56,342,179 unique source functions 2 and derive the corresponding function embeddings based on the trained model which are stored persistently in the FAISS [26] database as the corpus.…”

Section: Tpl Dataset and Corpusmentioning

confidence: 97%

“…For instance, assuming a binary file only contains the TPL zlib as the component, other TPLs reusing zlib are also identified as the components owing to the common functions cloned from zlib. To alleviate the issue, we follow previous works [24,61,63] to filter TPLs based on the TPL dependency which exhibits the reuse relations across TPLs and only retain the reused ones. Specifically, we leverage TPLite [24], the state-of-the-art technique based on function birth time (i.e., the earliest release time) and hierarchical path information, to generate the TPL dependency in advance, which works as the additional input of SCA to help identify the reused TPLs.…”

Section: Locality-driven Matchingmentioning

confidence: 99%

See 2 more Smart Citations

BinaryAI: Binary Software Composition Analysis via Intelligent Binary Source Code Matching

Jiang,

An,

Huang

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

While third-party libraries (TPLs) are extensively reused to enhance productivity during software development, they can also introduce potential security risks such as vulnerability propagation. Software composition analysis (SCA), proposed to identify reused TPLs for reducing such risks, has become an essential procedure within modern DevSecOps. As one of the mainstream SCA techniques, binary-to-source SCA identifies the third-party source projects contained in binary files via binary source code matching, which is a major challenge in reverse engineering since binary and source code exhibit substantial disparities after compilation. The existing binary-to-source SCA techniques leverage basic syntactic features that suffer from redundancy and lack robustness in the large-scale TPL dataset, leading to inevitable false positives and compromised recall. To mitigate these limitations, we introduce BinaryAI, a novel binary-to-source SCA technique with two-phase binary source code matching to capture both syntactic and semantic code features. First, BinaryAI trains a transformer-based model to produce function-level embeddings and obtain similar source functions for each binary function accordingly. Then by applying the link-time locality to facilitate function matching, BinaryAI detects the reused TPLs based on the ratio of matched source functions. Our experimental results demonstrate the superior performance of BinaryAI in terms of binary source code matching and the downstream SCA

show abstract

Section: Results and Analysismentioning

confidence: 99%

Section: Tpl Dataset and Corpusmentioning

confidence: 97%

Section: Locality-driven Matchingmentioning

confidence: 99%

See 1 more Smart Citation

BinaryAI: Binary Software Composition Analysis via Intelligent Binary Source Code Matching

Jiang,

An,

Huang

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…Tang et al [45] systematically studied the third-party reuse of C/C++ libraries in different formats. Wu et al [47] have emphasized the fingerprint functions in software component detection for the C ecosystem. Zimmermann et al Li et al [37] studied the stable features of component reuse in the Rust ecosystem.…”

Section: Related Workmentioning

confidence: 99%

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Hu,

Zhang,

Liu

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

Open-source software (OSS) greatly facilitates program development for developers. However, the high number of vulnerabilities in open-source software is a major concern, including in Golang, a relatively new programming language. In contrast to other commonly used OSS package managers, Golang presents a distinctive feature whereby commits are prevalently used as dependency versions prior to their integration into official releases. This attribute can prove advantageous to users, as patch commits can be implemented in a timely manner before the releases. However, Golang employs a decentralized mechanism for managing dependencies, whereby dependencies are upheld and distributed in separate repositories. This approach can result in delays in the dissemination of patches and unresolved vulnerabilities.To tackle the aforementioned concern, a comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang, commencing from its introduction and culminating with its rectification. To this end, a framework was established by gathering data from diverse sources and systematically amalgamating them with an algorithm to compute the lags in vulnerability patching. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. Within the vulnerability life cycle, we found two kinds of lag impeding the propagation of vulnerability fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.

show abstract

Empirical Study for Open Source Libraries in Automotive Software Systems

Zhang,

Ning,

et al. 2023

IEEE Access

View full text Add to dashboard Cite

Open-source software has revolutionized the field of software development, providing a collaborative and transparent approach that encourages knowledge sharing and innovation. However, the adoption of open-source software in automotive systems introduces security concerns that require careful scrutiny and management. While previous studies have investigated the general open-source software ecosystem, this paper focuses specifically on the unique characteristics and challenges of open-source software in automotive vehicles. To achieve these goals, we examine real-world examples and case studies to analyze the impact of opensource software on automotive systems. We extracted and collected 4092 open source components from real-world automotive firmware and compared the differences and similarities to 20010 commonly used components in operating systems such as Linux. The results show that the automotive firmware contains 79.8 open source components on average, which account for 15.84% of all binary files in the firmware. Moreover, 61.15% detected libraries are automotive-specific and are different from the commonly used components. By gaining insights this research provides valuable recommendations to improve automotive security by building the database of automotive-specific open source libraries.

show abstract

OSSFP: Precise and Scalable C/C++ Third-Party Library Detection using Fingerprinting Functions

Cited by 7 publications

References 42 publications

BinaryAI: Binary Software Composition Analysis via Intelligent Binary Source Code Matching

BinaryAI: Binary Software Composition Analysis via Intelligent Binary Source Code Matching

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Empirical Study for Open Source Libraries in Automotive Software Systems

Contact Info

Product

Resources

About