Using Program Analysis to Identify the Use of Vulnerable Functions

Rasmus Hagberg; Martin Hell; Christoph Reichenbach

doi:10.5220/0010548205230530

Using Program Analysis to Identify the Use of Vulnerable Functions

Rasmus Hagberg, Martin Hell, Christoph Reichenbach

Research output: Chapter in Book/Report/Conference proceeding › Paper in conference proceeding › peer-review

Abstract

Open-Source Software (OSS) is increasingly used by software applications. It allows for code reuse, but also comes with the problem of potentially being affected by the vulnerabilities that are found in the OSS libraries. With large numbers of OSS components and a large number of published vulnerabilities, it becomes challenging to identify and analyze which OSS components need to be patched and updated. In addition to matching vulnerable libraries to those used in software products, it is also necessary to analyze if the vulnerable functionality is actually used by the software. This process is both time-consuming and error-prone. Automating this process presents several challenges, but has the potential to significantly decrease vulnerability exposure time. In this paper, we propose a modular framework for analyzing if software code is using the vulnerable part of a library, by analyzing and matching the call graphs of the software with changes resulting from security patches. Further, we provide an implementation of the framework targeting Java and the Maven dependency management system. This allows us to identify 20% of the dependencies in our sample projects as false positives. We also identify and discuss challenges and limitations in our approach

Original language	English
Title of host publication	18th International Conference on Security and Cryptography, SECRYPT 2021
Publisher	INSTICC Press
Pages	520-530
ISBN (Print)	978-989758524-1
DOIs	https://doi.org/10.5220/0010548205230530
Publication status	Published - 2021

Subject classification (UKÄ)

Computer Engineering
Software Engineering
Computer Sciences

Access to Document

10.5220/0010548205230530

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden
Hell, M. (PI), Magnusson, B. (PI), Gehrmann, C. (CoI), Paladi, N. (Researcher), Karlsson, L. (Researcher), Sönnerup, J. (Researcher), Johnsson, B. A. (Researcher), Hedin, G. (Researcher), Nordahl, M. (Researcher), Pagnin, E. (Researcher), Kundu, R. (Researcher), Åkesson, A. (Researcher), Stankovski Wagner, P. (Researcher) & Ramezanian, S. (Researcher)
Swedish Foundation for Strategic Research, SSF
2018/03/01 → 2024/12/31
Project: Research
WASP startup package Christoph Reichenbach
Reichenbach, C. (Researcher)
2017/10/16 → 2021/10/15
Project: Research

Cite this

@inproceedings{3dad7fa029604633927f082230f16580,

title = "Using Program Analysis to Identify the Use of Vulnerable Functions",

abstract = "Open-Source Software (OSS) is increasingly used by software applications. It allows for code reuse, but also comes with the problem of potentially being affected by the vulnerabilities that are found in the OSS libraries. With large numbers of OSS components and a large number of published vulnerabilities, it becomes challenging to identify and analyze which OSS components need to be patched and updated. In addition to matching vulnerable libraries to those used in software products, it is also necessary to analyze if the vulnerable functionality is actually used by the software. This process is both time-consuming and error-prone. Automating this process presents several challenges, but has the potential to significantly decrease vulnerability exposure time. In this paper, we propose a modular framework for analyzing if software code is using the vulnerable part of a library, by analyzing and matching the call graphs of the software with changes resulting from security patches. Further, we provide an implementation of the framework targeting Java and the Maven dependency management system. This allows us to identify 20% of the dependencies in our sample projects as false positives. We also identify and discuss challenges and limitations in our approach",

author = "Rasmus Hagberg and Martin Hell and Christoph Reichenbach",

year = "2021",

doi = "10.5220/0010548205230530",

language = "English",

isbn = "978-989758524-1",

pages = "520--530",

booktitle = "18th International Conference on Security and Cryptography, SECRYPT 2021",

publisher = "INSTICC Press",

}

TY - GEN

T1 - Using Program Analysis to Identify the Use of Vulnerable Functions

AU - Hagberg, Rasmus

AU - Hell, Martin

AU - Reichenbach, Christoph

PY - 2021

Y1 - 2021

N2 - Open-Source Software (OSS) is increasingly used by software applications. It allows for code reuse, but also comes with the problem of potentially being affected by the vulnerabilities that are found in the OSS libraries. With large numbers of OSS components and a large number of published vulnerabilities, it becomes challenging to identify and analyze which OSS components need to be patched and updated. In addition to matching vulnerable libraries to those used in software products, it is also necessary to analyze if the vulnerable functionality is actually used by the software. This process is both time-consuming and error-prone. Automating this process presents several challenges, but has the potential to significantly decrease vulnerability exposure time. In this paper, we propose a modular framework for analyzing if software code is using the vulnerable part of a library, by analyzing and matching the call graphs of the software with changes resulting from security patches. Further, we provide an implementation of the framework targeting Java and the Maven dependency management system. This allows us to identify 20% of the dependencies in our sample projects as false positives. We also identify and discuss challenges and limitations in our approach

AB - Open-Source Software (OSS) is increasingly used by software applications. It allows for code reuse, but also comes with the problem of potentially being affected by the vulnerabilities that are found in the OSS libraries. With large numbers of OSS components and a large number of published vulnerabilities, it becomes challenging to identify and analyze which OSS components need to be patched and updated. In addition to matching vulnerable libraries to those used in software products, it is also necessary to analyze if the vulnerable functionality is actually used by the software. This process is both time-consuming and error-prone. Automating this process presents several challenges, but has the potential to significantly decrease vulnerability exposure time. In this paper, we propose a modular framework for analyzing if software code is using the vulnerable part of a library, by analyzing and matching the call graphs of the software with changes resulting from security patches. Further, we provide an implementation of the framework targeting Java and the Maven dependency management system. This allows us to identify 20% of the dependencies in our sample projects as false positives. We also identify and discuss challenges and limitations in our approach

U2 - 10.5220/0010548205230530

DO - 10.5220/0010548205230530

M3 - Paper in conference proceeding

SN - 978-989758524-1

SP - 520

EP - 530

BT - 18th International Conference on Security and Cryptography, SECRYPT 2021

PB - INSTICC Press

ER -

Using Program Analysis to Identify the Use of Vulnerable Functions

Abstract

Subject classification (UKÄ)

Access to Document

Fingerprint

Projects

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden

WASP startup package Christoph Reichenbach

Cite this