Open Source Vulnerability discovery presented at TyphoonCon 2022

by Professor Heejo Lee,

Summary : Open source software (OSS) plays an important role for business innovation by adapting cutting edge technologies, in addition to faster implementation of new services than competitors. However, one vulnerability in a popular OSS project can have a significant impact for a prolonged period. Particularly, the broad reuse of OSS and their modification of code amplifies vulnerability propagation and untraceability due to the change of their name after being forked as a new project or becoming a sub-component of another project after being modified. We have developed code-level vulnerability discovery mechanisms including crawling security patches for CVE vulnerabilities and finding unpatched vulnerabilities in modified OSS components and hidden vulnerabilities with higher level abstraction.

A series of mechanisms we developed including Centris (ICSE’21), Vuddy (S&P’17), V0finder (Usenix Security’21), Dicos (ACSAC’21) and their prototype implementation in an open platform called IoTcube will be introduced, where several CVE’s have been registered as zero day vulnerabilities found in a systematic way by their mechanisms.