event
PhD Proposal by Ruian Duan
Primary tabs
Title: Toward Solving The Security Risks Of Open Source Software Use
Ruian Duan
Ph.D. student in Computer Science
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Thursday, April 4, 2019
Time: 12:00 - 13:30 (EST)
Location: Klaus 3126
Committee:
------------
Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Brendan D. Saltaformaggio (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Alexandra Boldyreva (School of Computer Science, Georgia Institute of Technology)
Abstract:
-----------
Open source software (OSS) has been widely adopted in all layers of the software stack, from operating systems to web servers and mobile apps. Despite their myriad benefits, careless use of OSS can introduce significant legal and security risks, which if ignored not only jeopardize the security and privacy of end users but also cause developers and enterprises high financial loss. On one hand, use of OSS implicitly binds the developer to the associated licensing terms protected under copyright laws, which could have legal ramifications if violated. Just recently, Cisco and VMWare were involved in legal disputes for failing to comply with the licensing terms of the Linux kernel. On the other hand, software that reuses OSS also inherits their flaws, which could be exploited if not timely fixed. For example, the record-breaking security breach of Equifax originated from failure to patch a disclosed vulnerability in the open source Apache Struts framework.
In this proposal, I aim to provide solutions to those risks posed by OSS misuse. First, I will present a scalable OSS detection system (OSSPolice) that accurately detects OSS included in binary programs and checks for illegal misuse and n-day vulnerabilities in those OSS versions. OSSPolice was used to compare 1.6M apps against 140K OSS versions and identified over 40K potential GPL/AGPL license violators and over 100K apps using known vulnerable OSS.
Once vulnerabilities have been identified, my next work (OSSPatcher) provides an automated patching system that fixes vulnerable OSS versions in app binaries using publicly available source patches. OSSPatcher is based upon variability-aware techniques which make patch feasibility analysis and, more importantly, source-code-to-binary-code matching possible. Third, I will propose the design of an extensible OSS vetting system (MalOSS) which developers can use to find and report malware published in OSS package managers. MalOSS employs static and dynamic analysis to find undiscovered malicious packages efficiently and accurately.
Groups
Status
- Workflow Status:Published
- Created By:Tatianna Richardson
- Created:04/02/2019
- Modified By:Tatianna Richardson
- Modified:04/02/2019
Categories
Keywords
Target Audience