Abstract
We present V1SCAN, an effective approach for discovering 1-day vulnerabilities in reused C/C++ open-source software (OSS) components. Reusing third-party OSS has many benefits, but can put the entire software at risk owing to the vulnerabilities they propagate. In mitigation, several techniques for detecting propagated vulnerabilities, which can be classified into version- and code-based approaches, have been proposed. However, state-of-the-art techniques unfortunately produce many false positives or negatives when OSS projects are reused with code modifications. In this paper, we show that these limitations can be addressed by improving version- and code-based approaches and synergistically combining them. By classifying reused code from OSS components, V1SCAN only considers vulnerabilities contained in the target program and filters out unused vulnerable code, thereby reducing false alarms produced by version-based approaches. V1SCAN improves the coverage of code-based approaches by classifying vulnerable code and then detecting vulnerabilities propagated with code changes in various code locations. Evaluation on GitHub popular C/C++ software showed that V1SCAN outperformed state-of-the-art vulnerability detection approaches by discovering 50% more vulnerabilities than they detected. In addition, V1SCAN reduced the false positive rate of the simple integration of existing version- and code-based approaches from 71% to 4% and the false negative rate from 33% to 7%. With V1SCAN, developers can detect propagated vulnerabilities with high accuracy, maintaining a secure software supply chain.
Original language | English |
---|---|
Title of host publication | 32nd USENIX Security Symposium, USENIX Security 2023 |
Publisher | USENIX Association |
Pages | 6541-6556 |
Number of pages | 16 |
ISBN (Electronic) | 9781713879497 |
Publication status | Published - 2023 |
Event | 32nd USENIX Security Symposium, USENIX Security 2023 - Anaheim, United States Duration: 2023 Aug 9 → 2023 Aug 11 |
Publication series
Name | 32nd USENIX Security Symposium, USENIX Security 2023 |
---|---|
Volume | 9 |
Conference
Conference | 32nd USENIX Security Symposium, USENIX Security 2023 |
---|---|
Country/Territory | United States |
City | Anaheim |
Period | 23/8/9 → 23/8/11 |
Bibliographical note
Publisher Copyright:© 2023 32nd USENIX Security Symposium, USENIX Security 2023. All rights reserved.
ASJC Scopus subject areas
- Computer Networks and Communications
- Information Systems
- Safety, Risk, Reliability and Quality