*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Toward Solving The Security Risks Of Open Source Software Use
Ruian Duan
Ph.D. candidate in Computer Science
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Wednesday, October 23, 2019
Time: 13:00 - 15:00 (EST)
Location: Coda C1008 Bolton
Committee:
------------
Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Brendan D. Saltaformaggio (Co-advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Alexandra Boldyreva (School of Computer Science, Georgia Institute of Technology) Dr. Angelos D. Keromytis (School of Electrical and Computer Engineering, Georgia Institute of Technology)
Abstract:
-----------
Open source software (OSS) has been widely adopted in all layers of the software stack, from operating systems to web servers and mobile apps. Despite their myriad benefits, careless use of OSS can introduce significant legal and security risks, which if ignored not only jeopardize the security and privacy of end users but also cause developers and enterprises high financial loss. On one hand, use of OSS implicitly binds the developer to the associated licensing terms protected under copyright laws, which could have legal ramifications if violated. Just recently, Cisco and VMWare were involved in legal disputes for failing to comply with the licensing terms of the Linux kernel. On the other hand, software that reuses OSS also inherits their flaws, which could be exploited if not timely fixed. For example, the record-breaking security breach of Equifax originated from failure to patch a disclosed vulnerability in the open source Apache Struts framework.
In this thesis, I aim to provide solutions to those risks posed by OSS misuse. First, I will present a scalable OSS detection system (OSSPolice) that accurately detects OSS included in binary programs and checks for illegal misuse and n-day vulnerabilities in those OSS versions. OSSPolice was used to compare 1.6M apps against 140K OSS versions and identified over 40K potential GPL/AGPL license violators and over 100K apps using known vulnerable OSS. Once vulnerabilities have been identified, my next work (OSSPatcher) provides an automated patching system that fixes vulnerable OSS versions in app binaries using publicly available source patches. OSSPatcher is based upon variability-aware techniques which make patch feasibility analysis and, more importantly, source-code-to-binary-code matching possible. Third, I will present a study (MalOSS) on recent supply chain attacks against the open source ecosystem, where hundreds of malware snuck into package managers and gained millions of downloads. I propose a comparative framework to understand attacks and their root causes, and a vetting pipeline to detect malware in package managers. MalOSS reported 339 malware to package manager maintainers, out of which, 278 (82 percent) have been confirmed and removed and 3 with more than 100K downloads have been assigned CVEs.
