Proceedings 2019 Network and Distributed System Security Symposium 2019
DOI: 10.14722/ndss.2019.23126
|View full text |Cite
|
Sign up to set email alerts
|

Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries

Abstract: Mobile application developers rely heavily on opensource software (OSS) to offload common functionalities such as the implementation of protocols and media format playback. Over the past years, several vulnerabilities have been found in popular open-source libraries like OpenSSL and FFmpeg. Mobile applications that include such libraries inherit these flaws, which make them vulnerable. Fortunately, the open-source community is responsive and patches are made available within days. However, mobile application d… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
28
0

Year Published

2019
2019
2023
2023

Publication Types

Select...
3
3
2

Relationship

0
8

Authors

Journals

citations
Cited by 36 publications
(28 citation statements)
references
References 45 publications
0
28
0
Order By: Relevance
“…Thus, we determined that the function-level granularity was most balanced: reasonable scalability (see Section V-C), fewer false positives and false negatives than the line-level and filelevel granularity, respectively (the benefits of the function-level granularity have been discussed in previous studies [4], [5], [10], [15], specifically, VUDDY [4] introduced the scalability and accuracy comparisons between function-units and other units in detail).…”
Section: Discussionmentioning
confidence: 99%
See 1 more Smart Citation
“…Thus, we determined that the function-level granularity was most balanced: reasonable scalability (see Section V-C), fewer false positives and false negatives than the line-level and filelevel granularity, respectively (the benefits of the function-level granularity have been discussed in previous studies [4], [5], [10], [15], specifically, VUDDY [4] introduced the scalability and accuracy comparisons between function-units and other units in detail).…”
Section: Discussionmentioning
confidence: 99%
“…As the term "OSS reuse" refers to utilizing all or some OSS functionalities [5], [13], [14], we determined that function units are more appropriate for detecting various OSS reuse patterns compared to other units. With less granularity (e.g., a file), Ce n t r i s can identify components faster than when using function units, however, Ce n t r i s may miss partial reuses especially when only some functions in a file were reused in the target software (the benefits of function units have been discussed in previous studies [4], [5], [10], [15]). In light of this, Ce n t r i s extracts functions from all versions of the OSS in our dataset using a function parser (see Section IV), and performs lightweight text preprocessing to normalize the function by removing comments, tabs, linefeed, and whitespaces, which are easy to change but do not affect program semantics.…”
Section: A Overviewmentioning
confidence: 99%
“…One way of obtaining the list of compiled source files is to hook the build process (Duan et al 2019). Taking into account the low success rate of auto-build (Shahkar 2016;Yuan et al 2019;Duan et al 2017) and the very time-consuming manual build, we inventively use clustering analysis (K-means Clustering 2020) and decision tree (Decision tree 2020) to predict compiled source files and extract features from them.…”
Section: How To Design Detection Methods To Improve the Precision Of Version Identification?mentioning
confidence: 99%
“…Compilation-related files can be obtained by hooking the build process as done in autopatch (Duan et al 2019). For the purpose of version identification, we need to build multiple OSS projects.…”
Section: Compilation-related Filesmentioning
confidence: 99%
“…None of the above solutions focuses on patching third-party libraries inside user apps. OSSPATCHER [23] targets at third-party libraries, but only open-sourced C/C++ libraries are concerned. There are also more works [24], [26] that automatically generate patches from source code.…”
Section: B Software Patching Techniquesmentioning
confidence: 99%