Using Program Analysis to Identify the Use of Vulnerable Functions

Rasmus Hagberg, Rasmus Hagberg, Martin Hell, Christoph Reichenbach

2021

Abstract

Open-Source Software (OSS) is increasingly used by software applications. It allows for code reuse, but also comes with the problem of potentially being affected by the vulnerabilities that are found in the OSS libraries. With large numbers of OSS components and a large number of published vulnerabilities, it becomes challenging to identify and analyze which OSS components need to be patched and updated. In addition to matching vulnerable libraries to those used in software products, it is also necessary to analyze if the vulnerable functionality is actually used by the software. This process is both time-consuming and error-prone. Automating this process presents several challenges, but has the potential to significantly decrease vulnerability exposure time. In this paper, we propose a modular framework for analyzing if software code is using the vulnerable part of a library, by analyzing and matching the call graphs of the software with changes resulting from security patches. Further, we provide an implementation of the framework targeting Java and the Maven dependency management system. This allows us to identify 20% of the dependencies in our sample projects as false positives. We also identify and discuss challenges and limitations in our approach.

Download


Paper Citation


in Harvard Style

Hagberg R., Hell M. and Reichenbach C. (2021). Using Program Analysis to Identify the Use of Vulnerable Functions. In Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT, ISBN 978-989-758-524-1, pages 523-530. DOI: 10.5220/0010548205230530


in Bibtex Style

@conference{secrypt21,
author={Rasmus Hagberg and Martin Hell and Christoph Reichenbach},
title={Using Program Analysis to Identify the Use of Vulnerable Functions},
booktitle={Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,},
year={2021},
pages={523-530},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010548205230530},
isbn={978-989-758-524-1},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,
TI - Using Program Analysis to Identify the Use of Vulnerable Functions
SN - 978-989-758-524-1
AU - Hagberg R.
AU - Hell M.
AU - Reichenbach C.
PY - 2021
SP - 523
EP - 530
DO - 10.5220/0010548205230530