Ruian Duan (Georgia Institute of Technology), Ashish Bijlani (Georgia Institute of Technology), Yang Ji (Georgia Institute of Technology), Omar Alrawi (Georgia Institute of Technology), Yiyuan Xiong (Peking University), Moses Ike (Georgia Institute of Technology), Brendan Saltaformaggio (Georgia Institute of Technology), Wenke Lee (Georgia Institute of Technology)

Mobile application developers rely heavily on open-source software (OSS)
to offload common functionalities such as the implementation of
protocols and media format playback. Over the past years, several
vulnerabilities have been found in popular open-source libraries like
OpenSSL and FFmpeg. Mobile applications that include such libraries
inherit these flaws, which make them vulnerable. Fortunately, the
open-source community is responsive and patches are made available
within days. However, mobile application developers are often left
unaware of these flaws. The App Security Improvement Program (ASIP) is
a commendable effort by Google to notify application developers of these
flaws, but recent work has shown that many developers do not act on this
information.

Our work addresses vulnerable mobile applications through automatic
binary patching from source patches provided by the OSS maintainers and
without involving the developers. We propose novel techniques to
overcome difficult challenges like patching feasibility analysis,
source-code-to-binary-code matching, and in-memory patching. Our
technique uses a novel variability-aware approach, which we implement as
OSSPatcher. We evaluated OSSPatcher with 39 OSS and a collection of
1,000 Android applications using their vulnerable versions. OSSPatcher
generated 675 function-level patches that fixed the affected mobile
applications without breaking their binary code. Further, we evaluated
10 vulnerabilities in popular apps such as Chrome with public exploits,
which OSSPatcher was able to mitigate and thwart their exploitation.

View More Papers

A Systematic Framework to Generate Invariants for Anomaly Detection...

Cheng Feng (Imperial College London & Siemens Corporate Technology), Venkata Reddy Palleti (Singapore University of Technology and Design), Aditya Mathur (Singapore University of Technology and Design), Deeph Chana (Imperial College London)

Read More

Please Forget Where I Was Last Summer: The Privacy...

Kostas Drakonakis (FORTH, Greece), Panagiotis Ilia (FORTH, Greece), Sotiris Ioannidis (FORTH, Greece), Jason Polakis (University of Illinois at Chicago, USA)

Read More

Data Oblivious ISA Extensions for Side Channel-Resistant and High...

Jiyong Yu (UIUC), Lucas Hsiung (UIUC), Mohamad El'Hajj (UIUC), Christopher W. Fletcher (UIUC)

Read More

Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice...

Yangyong Zhang (Texas A&M University), Lei Xu (Texas A&M University), Abner Mendoza (Texas A&M University), Guangliang Yang (Texas A&M University), Phakpoom Chinprutthiwong (Texas A&M University), Guofei Gu (Texas A&M University)

Read More