Open source software (OSS) plays an important role for business innovation by  adapting cutting edge technologies, in addition to faster implementation of  new services than competitors. However, one vulnerability in a popular OSS project can have a significant impact for a prolonged period. Particularly, the broad reuse of OSS and their modification of code amplifies vulnerability propagation and untraceability due to the change of their name after being forked as a new project or becoming a sub-component of another project after being modified. 

We have developed code-level vulnerability discovery mechanisms including  crawling security patches for CVE vulnerabilities and finding unpatched vulnerabilities in modified OSS components and hidden vulnerabilities with higher level abstraction.
A series of mechanisms we developed including Centris (ICSE’21), Vuddy (S&P’17), V0finder (Usenix Security’21), Dicos (ACSAC’21) and their prototype implementation in an open platform called IoTcube will be introduced, where several CVE’s have been registered as zero day vulnerabilities found in a systematic way by their mechanisms.

About the speaker

Heejo Lee is a Professor at the Department of Computer Science and Engineering, Korea University, Seoul, Korea, and the director of Center for Software Security and Assurance (CSSA). Before joining Korea University, he was at AhnLab, Inc. as a CTO from 2001 to 2003. From 2000 to 2001, he was a Postdoctorate Researcher  at the Department of Computer Science and CERIAS at Purdue University. In 2010, he was a visiting professor at CyLab/CMU. Dr. Lee received his B.S., M.S., Ph.D. degree in Computer Science and Engineering from POSTECH, Pohang, Korea. Dr. Lee serves as an editor of IEEE Trans. on Vehicular Technology, and Journal of Communications and Networks. He is a recipient of  the ISC^2 ISLA award and got the most prestigious recognition of the asia pacific community service star in 2016. He is a founding member and co-CEO of IOTCUBE Inc., which is a spin off of CSSA, Korea University.