Using Program Analysis to Identify the Use of Vulnerable Functions

Research output: Chapter in Book/Report/Conference proceedingPaper in conference proceedingpeer-review

Abstract

Open-Source Software (OSS) is increasingly used by software applications. It allows for code reuse, but also comes with the problem of potentially being affected by the vulnerabilities that are found in the OSS libraries. With large numbers of OSS components and a large number of published vulnerabilities, it becomes challenging to identify and analyze which OSS components need to be patched and updated. In addition to matching vulnerable libraries to those used in software products, it is also necessary to analyze if the vulnerable functionality is actually used by the software. This process is both time-consuming and error-prone. Automating this process presents several challenges, but has the potential to significantly decrease vulnerability exposure time. In this paper, we propose a modular framework for analyzing if software code is using the vulnerable part of a library, by analyzing and matching the call graphs of the software with changes resulting from security patches. Further, we provide an implementation of the framework targeting Java and the Maven dependency management system. This allows us to identify 20% of the dependencies in our sample projects as false positives. We also identify and discuss challenges and limitations in our approach
Original languageEnglish
Title of host publication18th International Conference on Security and Cryptography, SECRYPT 2021
PublisherINSTICC Press
Pages520-530
ISBN (Print)978-989758524-1
DOIs
Publication statusPublished - 2021

Subject classification (UKÄ)

  • Computer Engineering
  • Software Engineering
  • Computer Science

Fingerprint

Dive into the research topics of 'Using Program Analysis to Identify the Use of Vulnerable Functions'. Together they form a unique fingerprint.

Cite this