Abstract
Vulnerabilities inherited from third-party open-source software (OSS) components can compromise the entire software security. However, discovering propagated vulnerable code is challenging as it proliferates with various code syntaxes owing to the OSS modifications, more specifically, internal (e.g., OSS updates) and external modifications of OSS (e.g., code changes that occur during the OSS reuse). In this paper, we present MOVERY, a precise approach for discovering vulnerable code clones (VCCs) from modified OSS components. By considering the oldest vulnerable function and extracting only core vulnerable and patch lines from security patches, MOVERY generates vulnerability and patch signatures that effectively address OSS modifications. For scalability, MOVERY reduces the search space of the target software by focusing only on the codes borrowed from other OSS projects. Finally, MOVERY determines that the function is VCC when it matches the vulnerability signature and is distinctive from the patch signature. When we applied MOVERY on ten popular software selected from diverse domains, we observed that 91% of the discovered VCCs had different code syntax from the disclosed vulnerable function. Nonetheless, MOVERY discovered VCCs at least 2.5 times more than those discovered in existing techniques, with much higher accuracy: MOVERY discovered 415 VCCs with 96% precision and 96% recall, whereas two recent VCC discovery techniques, which hardly consider internal and external OSS modifications, discovered only 163 and 72 VCCs with at most 77% precision and 38% recall.
Original language | English |
---|---|
Title of host publication | Proceedings of the 31st USENIX Security Symposium, Security 2022 |
Publisher | USENIX Association |
Pages | 3037-3053 |
Number of pages | 17 |
ISBN (Electronic) | 9781939133311 |
Publication status | Published - 2022 |
Event | 31st USENIX Security Symposium, Security 2022 - Boston, United States Duration: 2022 Aug 10 → 2022 Aug 12 |
Publication series
Name | Proceedings of the 31st USENIX Security Symposium, Security 2022 |
---|
Conference
Conference | 31st USENIX Security Symposium, Security 2022 |
---|---|
Country/Territory | United States |
City | Boston |
Period | 22/8/10 → 22/8/12 |
Bibliographical note
Publisher Copyright:© USENIX Security Symposium, Security 2022.All rights reserved.
ASJC Scopus subject areas
- Computer Networks and Communications
- Information Systems
- Safety, Risk, Reliability and Quality