Phd Defense by Ruian Duan

Event Details
  • Date/Time:
    • Wednesday October 23, 2019
      1:00 pm - 3:00 pm
  • Location: Coda C1008 Bolton
  • Phone:
  • URL:
  • Email:
  • Fee(s):
    N/A
  • Extras:
Contact
No contact information submitted.
Summaries

Summary Sentence: Toward Solving The Security Risks Of Open Source Software Use

Full Summary: No summary paragraph submitted.

Title: Toward Solving The Security Risks Of Open Source Software Use

 

Ruian Duan

Ph.D. candidate in Computer Science

School of Computer Science

College of Computing

Georgia Institute of Technology

 

Date: Wednesday, October 23, 2019

Time: 13:00 - 15:00 (EST)

Location: Coda C1008 Bolton

 

Committee:

------------

Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Brendan D. Saltaformaggio (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Alexandra Boldyreva (School of Computer Science, Georgia Institute of Technology) Dr. Angelos D. Keromytis (School of Electrical and Computer Engineering, Georgia Institute of Technology)

 

Abstract:

-----------

Open source software (OSS) has been widely adopted in all layers of the software stack, from operating systems to web servers and mobile apps. Despite their myriad benefits, careless use of OSS can introduce significant legal and security risks, which if ignored not only jeopardize the security and privacy of end users but also cause developers and enterprises high financial loss. On one hand, use of OSS implicitly binds the developer to the associated licensing terms protected under copyright laws, which could have legal ramifications if violated. Just recently, Cisco and VMWare were involved in legal disputes for failing to comply with the licensing terms of the Linux kernel. On the other hand, software that reuses OSS also inherits their flaws, which could be exploited if not timely fixed. For example, the record-breaking security breach of Equifax originated from failure to patch a disclosed vulnerability in the open source Apache Struts framework.

 

In this thesis, I aim to provide solutions to those risks posed by OSS misuse. First, I will present a scalable OSS detection system (OSSPolice) that accurately detects OSS included in binary programs and checks for illegal misuse and n-day vulnerabilities in those OSS versions. OSSPolice was used to compare 1.6M apps against 140K OSS versions and identified over 40K potential GPL/AGPL license violators and over 100K apps using known vulnerable OSS. Once vulnerabilities have been identified, my next work (OSSPatcher) provides an automated patching system that fixes vulnerable OSS versions in app binaries using publicly available source patches. OSSPatcher is based upon variability-aware techniques which make patch feasibility analysis and, more importantly, source-code-to-binary-code matching possible. Third, I will present a study (MalOSS) on recent supply chain attacks against the open source ecosystem, where hundreds of malware snuck into package managers and gained millions of downloads. I propose a comparative framework to understand attacks and their root causes, and a vetting pipeline to detect malware in package managers. MalOSS reported 339 malware to package manager maintainers, out of which, 278 (82 percent) have been confirmed and removed and 3 with more than 100K downloads have been assigned CVEs.

 

Additional Information

In Campus Calendar
No
Groups

Graduate Studies

Invited Audience
Faculty/Staff, Public, Graduate students, Undergraduate students
Categories
Other/Miscellaneous
Keywords
Phd Defense
Status
  • Created By: Tatianna Richardson
  • Workflow Status: Published
  • Created On: Oct 9, 2019 - 1:41pm
  • Last Updated: Oct 9, 2019 - 1:41pm