event

Phd Defense by Ruian Duan

Primary tabs

Title: Toward Solving The Security Risks Of Open Source Software Use

 

Ruian Duan

Ph.D. candidate in Computer Science

School of Computer Science

College of Computing

Georgia Institute of Technology

 

Date: Wednesday, October 23, 2019

Time: 13:00 - 15:00 (EST)

Location: Coda C1008 Bolton

 

Committee:

------------

Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Brendan D. Saltaformaggio (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Alexandra Boldyreva (School of Computer Science, Georgia Institute of Technology) Dr. Angelos D. Keromytis (School of Electrical and Computer Engineering, Georgia Institute of Technology)

 

Abstract:

-----------

Open source software (OSS) has been widely adopted in all layers of the software stack, from operating systems to web servers and mobile apps. Despite their myriad benefits, careless use of OSS can introduce significant legal and security risks, which if ignored not only jeopardize the security and privacy of end users but also cause developers and enterprises high financial loss. On one hand, use of OSS implicitly binds the developer to the associated licensing terms protected under copyright laws, which could have legal ramifications if violated. Just recently, Cisco and VMWare were involved in legal disputes for failing to comply with the licensing terms of the Linux kernel. On the other hand, software that reuses OSS also inherits their flaws, which could be exploited if not timely fixed. For example, the record-breaking security breach of Equifax originated from failure to patch a disclosed vulnerability in the open source Apache Struts framework.

 

In this thesis, I aim to provide solutions to those risks posed by OSS misuse. First, I will present a scalable OSS detection system (OSSPolice) that accurately detects OSS included in binary programs and checks for illegal misuse and n-day vulnerabilities in those OSS versions. OSSPolice was used to compare 1.6M apps against 140K OSS versions and identified over 40K potential GPL/AGPL license violators and over 100K apps using known vulnerable OSS. Once vulnerabilities have been identified, my next work (OSSPatcher) provides an automated patching system that fixes vulnerable OSS versions in app binaries using publicly available source patches. OSSPatcher is based upon variability-aware techniques which make patch feasibility analysis and, more importantly, source-code-to-binary-code matching possible. Third, I will present a study (MalOSS) on recent supply chain attacks against the open source ecosystem, where hundreds of malware snuck into package managers and gained millions of downloads. I propose a comparative framework to understand attacks and their root causes, and a vetting pipeline to detect malware in package managers. MalOSS reported 339 malware to package manager maintainers, out of which, 278 (82 percent) have been confirmed and removed and 3 with more than 100K downloads have been assigned CVEs.

 

Status

  • Workflow Status:Published
  • Created By:Tatianna Richardson
  • Created:10/09/2019
  • Modified By:Tatianna Richardson
  • Modified:10/09/2019

Categories

Keywords