Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.
security | softwaresupplychain | softwaresecurity | vulnerabilities

A Screening Test for Software Vulnerabilities

Software vendors that consume thousands of Free and Open Source Software (FOSS) components and offer more than a decade of support and security fixes are expected to react quickly on disclosed vulnerabilities—in some case such as Heartbleed, within hours.

This seems to be infeasible, in particular given that software vendors need to know rather precisely, if their product is affected by a vulnerability in a third party component or not: if they are not affected, they want to be able to re-assure their customers that they are not affected as well. If they are affected, they want to be able to fix the security vulnerability quickly and with the least possible impact on existing functionality (and the least effort for both the software vendor and its customers). So, how can we solve this problem?

For helping software vendors, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository.

Our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, etc.), scanning thousands of commits and several hundred thousand lines of code in minutes. Further, we provide insights on the empirical probability that, on 166 FOSS projects, a potentially vulnerable component might not actually be vulnerable after all.

Sounds too good to be true? Indeed, our approach is not aimed at replacing traditional static analysis methods that are based on precise but costly semantic analysis (e.g., symbolic execution). Instead, we aim for a fast alternative that deliberately trades accuracy for speed. Its application by our industry partner is not intended to replace traditional static analysis but to prioritize its application to versions most at risk.

Want to know more and attending ICSE? You are lucky, we will present this work at ICSE 2019 in the “Journal First” category. If you are not attending ICSE, do not worry, you can look up all the details in our TSE paper [1].

Updates:

References §

[1]
S. Dashevskyi, A. D. Brucker, and F. Massacci, “A screening test for disclosed vulnerabilities in FOSS components,” IEEE Trans. Software Eng., vol. 45, no. 10, pp. 945–966, Oct. 2019, doi: 10.1109/TSE.2018.2816033. Author copy: http://logicalhacking.com/publications/dashevskyi.ea-vulnerability-screening-2018/

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.

Categories

Archive

Tags

FormalMethods Isabelle/HOL ML/AI ProgramVerification SoftwareEngineering academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition confidentiality cordova dast devops devsecops dom dsbd efsm epsrc event events extensions fixeffort floss formaldocument formalmethods formalverification funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isabellehol isadof itp latex logic maintance malicous mathematics mbst mobile mobile apps modelinference modeling monads monitoring msc neuralnetwork ocl ontology opensource owasp patches pedadogy pet phd phdlife phishing policy programminglanguages protocols protocolverfication publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartcontracts smartthings smpc softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb teaching test&proof test@proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity

Search


blog whole site