Description
Open source software (OSS) plays an important role for business innovation by adapting cutting edge technologies, in addition to faster implementation of new services than competitors. However, one vulnerability in a popular OSS project can have a significant impact for a prolonged period. Particularly, the broad reuse of OSS and their modification of code amplifies vulnerability propagation and untraceability due to the change of their name after being forked as a new project or becoming a sub-component of another project after being modified.
We have developed code-level vulnerability discovery mechanisms including crawling security patches for CVE vulnerabilities and finding unpatched vulnerabilities in modified OSS components and hidden vulnerabilities with higher level abstraction.
A series of mechanisms we developed including Centris (ICSE’21), Vuddy (S&P’17), V0finder (Usenix Security’21), Dicos (ACSAC’21) and their prototype implementation in an open platform called IoTcube will be introduced, where several CVE’s have been registered as zero day vulnerabilities found in a systematic way by their mechanisms.