A Screening Test for Disclosed Vulnerabilities in FOSS Components

S. Dashevskyi, A.D. Brucker, F. Massacci

Research output: Contribution to JournalArticleAcademicpeer-review

Abstract

© 1976-2012 IEEE.Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities-in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes. Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all.
Original languageEnglish
Article number8316943
Pages (from-to)945-966
JournalIEEE Transactions on Software Engineering
Volume45
Issue number10
DOIs
Publication statusPublished - 1 Oct 2019
Externally publishedYes

Funding

challenges faced by software vendors, and E. Blanzieri for suggesting the name of “screening test” for our method. This work has been partly supported by the European Union under the grant 317387 SECENTIS (FP7-PEOPLE-2012-IT), EU project VAMOSS (EIT/EIT DIGITAL/SGA2016-16367), and CISCO Country Digitalization Grant (Filiera Sicura).

FundersFunder number
Cisco Systems
Seventh Framework Programme317387
European CommissionFP7-PEOPLE-2012-IT, EIT/EIT DIGITAL/SGA2016-16367

    Fingerprint

    Dive into the research topics of 'A Screening Test for Disclosed Vulnerabilities in FOSS Components'. Together they form a unique fingerprint.

    Cite this