PhD Proposal by Ruian Duan

Event Details
  • Date/Time:
    • Thursday April 4, 2019 - Friday April 5, 2019
      12:00 pm - 1:59 pm
  • Location: Klaus 3126
  • Phone:
  • URL:
  • Email:
  • Fee(s):
  • Extras:
No contact information submitted.

Summary Sentence: Toward Solving The Security Risks Of Open Source Software Use

Full Summary: No summary paragraph submitted.

Title: Toward Solving The Security Risks Of Open Source Software Use


Ruian Duan

Ph.D. student in Computer Science

School of Computer Science

College of Computing

Georgia Institute of Technology


Date: Thursday, April 4, 2019

Time: 12:00 - 13:30 (EST)

Location: Klaus 3126




Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Brendan D. Saltaformaggio (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Alexandra Boldyreva (School of Computer Science, Georgia Institute of Technology)




Open source software (OSS) has been widely adopted in all layers of the software stack, from operating systems to web servers and mobile apps. Despite their myriad benefits, careless use of OSS can introduce significant legal and security risks, which if ignored not only jeopardize the security and privacy of end users but also cause developers and enterprises high financial loss. On one hand, use of OSS implicitly binds the developer to the associated licensing terms protected under copyright laws, which could have legal ramifications if violated. Just recently, Cisco and VMWare were involved in legal disputes for failing to comply with the licensing terms of the Linux kernel. On the other hand, software that reuses OSS also inherits their flaws, which could be exploited if not timely fixed. For example, the record-breaking security breach of Equifax originated from failure to patch a disclosed vulnerability in the open source Apache Struts framework.


In this proposal, I aim to provide solutions to those risks posed by OSS misuse. First, I will present a scalable OSS detection system (OSSPolice) that accurately detects OSS included in binary programs and checks for illegal misuse and n-day vulnerabilities in those OSS versions. OSSPolice was used to compare 1.6M apps against 140K OSS versions and identified over 40K potential GPL/AGPL license violators and over 100K apps using known vulnerable OSS.

Once vulnerabilities have been identified, my next work (OSSPatcher) provides an automated patching system that fixes vulnerable OSS versions in app binaries using publicly available source patches. OSSPatcher is based upon variability-aware techniques which make patch feasibility analysis and, more importantly, source-code-to-binary-code matching possible. Third, I will propose the design of an extensible OSS vetting system (MalOSS) which developers can use to find and report malware published in OSS package managers. MalOSS employs static and dynamic analysis to find undiscovered malicious packages efficiently and accurately.


Additional Information

In Campus Calendar

Graduate Studies

Invited Audience
Faculty/Staff, Public, Graduate students, Undergraduate students
Phd proposal
  • Created By: Tatianna Richardson
  • Workflow Status: Published
  • Created On: Apr 2, 2019 - 11:41am
  • Last Updated: Apr 2, 2019 - 11:41am