A Screening Test for Software Vulnerabilities
Software vendors that consume thousands of Free and Open Source Software (FOSS) components and offer more than a decade of support and security fixes are expected to react quickly on disclosed vulnerabilities—in some case such as Heartbleed, within hours.
This seems to be infeasible, in particular given that software vendors need to know rather precisely, if their product is affected by a vulnerability in a third party component or not: if they are not affected, they want to be able to re-assure their customers that they are not affected as well. If they are affected, they want to be able to fix the security vulnerability quickly and with the least possible impact on existing functionality (and the least effort for both the software vendor and its customers). So, how can we solve this problem?
For helping software vendors, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository.
Our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, etc.), scanning thousands of commits and several hundred thousand lines of code in minutes. Further, we provide insights on the empirical probability that, on 166 FOSS projects, a potentially vulnerable component might not actually be vulnerable after all.
Sounds too good to be true? Indeed, our approach is not aimed at replacing traditional static analysis methods that are based on precise but costly semantic analysis (e.g., symbolic execution). Instead, we aim for a fast alternative that deliberately trades accuracy for speed. Its application by our industry partner is not intended to replace traditional static analysis but to prioritize its application to versions most at risk.
Want to know more and attending ICSE? You are lucky, we will present this work at ICSE 2019 in the “Journal First” category. If you are not attending ICSE, do not worry, you can look up all the details in our TSE paper [1].
Updates:
- The paper was selected as one of the Highlights from ICSE 2019.
- The implementation is available at: https://git.logicalhacking.com/FLOSS-Security/foss-vuln-tracker.