Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.
security | softwaresupplychain | softwaresecurity | vulnerabilities

A Screening Test for Software Vulnerabilities

Software vendors that consume thousands of Free and Open Source Software (FOSS) components and offer more than a decade of support and security fixes are expected to react quickly on disclosed vulnerabilities—in some case such as Heartbleed, within hours.

This seems to be infeasible, in particular given that software vendors need to know rather precisely, if their product is affected by a vulnerability in a third party component or not: if they are not affected, they want to be able to re-assure their customers that they are not affected as well. If they are affected, they want to be able to fix the security vulnerability quickly and with the least possible impact on existing functionality (and the least effort for both the software vendor and its customers). So, how can we solve this problem?

For helping software vendors, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository.

Our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, etc.), scanning thousands of commits and several hundred thousand lines of code in minutes. Further, we provide insights on the empirical probability that, on 166 FOSS projects, a potentially vulnerable component might not actually be vulnerable after all.

Sounds too good to be true? Indeed, our approach is not aimed at replacing traditional static analysis methods that are based on precise but costly semantic analysis (e.g., symbolic execution). Instead, we aim for a fast alternative that deliberately trades accuracy for speed. Its application by our industry partner is not intended to replace traditional static analysis but to prioritize its application to versions most at risk.

Want to know more and attending ICSE? You are lucky, we will present this work at ICSE 2019 in the “Journal First” category. If you are not attending ICSE, do not worry, you can look up all the details in our TSE paper [1].

Updates:

References

[1]
S. Dashevskyi, A. D. Brucker, and F. Massacci, “A screening test for disclosed vulnerabilities in FOSS components,” IEEE Trans. Software Eng., vol. 45, no. 10, pp. 945–966, Oct. 2019, doi: 10.1109/TSE.2018.2816033.

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.

Categories

Archive

Tags

academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition cordova dast devops devsecops dom dsbd efsm epsrc event extensions fixeffort floss formaldocument formalmethods funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isadof latex logic maintance malicous mbst mobile mobile apps modelinference modeling monads monitoring msc ocl ontology opensource owasp patches pet phd phdlife phishing policy protocols publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartthings softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb test&proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity

Search


blog whole site