Search Icon
Submissions

Enhancing Security in Third-Party Library Reuse – Comprehensive Detection of 1-day Vulnerability through Code Patch Analysis

Shangzhi Xu (The University of New South Wales), Jialiang Dong (The University of New South Wales), Weiting Cai (Delft University of Technology), Juanru Li (Feiyu Tech), Arash Shaghaghi (The University of New South Wales), Nan Sun (The University of New South Wales), Siqi Ma (The University of New South Wales)

Nowadays, software development progresses
rapidly to incorporate new features. To facilitate such growth
and provide convenience for developers when creating and
updating software, reusing open-source software (i.e., thirdparty
library reuses) has become one of the most effective
and efficient methods. Unfortunately, the practice of reusing
third-party libraries (TPLs) can also introduce vulnerabilities
(known as 1-day vulnerabilities) because of the low maintenance
of TPLs, resulting in many vulnerable versions remaining in
use. If the software incorporating these TPLs fails to detect the
introduced vulnerabilities and leads to delayed updates, it will
exacerbate the security risks. However, the complicated code
dependencies and flexibility of TPL reuses make the detection of
1-day vulnerability a challenging task. To support developers in
securely reusing TPLs during software development, we design
and implement VULTURE, an effective and efficient detection
tool, aiming at identifying 1-day vulnerabilities that arise from
the reuse of vulnerable TPLs. It first executes a database creation
method, TPLFILTER, which leverages the Large Language
Model (LLM) to automatically build a unique database for the
targeted platform. Instead of relying on code-level similarity
comparison, VULTURE employs hashing-based comparison to
explore the dependencies among the collected TPLs and identify
the similarities between the TPLs and the target projects.
Recognizing that developers have the flexibility to reuse TPLs
exactly or in a custom manner, VULTURE separately conducts
version-based comparison and chunk-based analysis to capture
fine-grained semantic features at the function levels. We applied
VULTURE to 10 real-world projects to assess its effectiveness
and efficiency in detecting 1-day vulnerabilities. VULTURE
successfully identified 175 vulnerabilities from 178 reused TPLs.

Paper
Slides
Video

View More Papers

Distributed Function Secret Sharing and Applications

Pengzhi Xing (University of Electronic Science and Technology of China), Hongwei Li (University of Electronic Science and Technology of China), Meng Hao (Singapore Management University), Hanxiao Chen (University of Electronic Science and Technology of China), Jia Hu (University of Electronic Science and Technology of China), Dongxiao Liu (University of Electronic Science and Technology of China)

Read More

SecuWear: Secure Data Sharing Between Wearable Devices

Sujin Han (KAIST) Diana A. Vasile (Nokia Bell Labs), Fahim Kawsar (Nokia Bell Labs, University of Glasgow), Chulhong Min (Nokia Bell Labs)

Read More

Automated Mass Malware Factory: The Convergence of Piggybacking and...

Heng Li (Huazhong University of Science and Technology), Zhiyuan Yao (Huazhong University of Science and Technology), Bang Wu (Huazhong University of Science and Technology), Cuiying Gao (Huazhong University of Science and Technology), Teng Xu (Huazhong University of Science and Technology), Wei Yuan (Huazhong University of Science and Technology), Xiapu Luo (The Hong Kong Polytechnic University)

Read More

On the Realism of LiDAR Spoofing Attacks against Autonomous...

Takami Sato (University of California, Irvine), Ryo Suzuki (Keio University), Yuki Hayakawa (Keio University), Kazuma Ikeda (Keio University), Ozora Sako (Keio University), Rokuto Nagata (Keio University), Ryo Yoshida (Keio University), Qi Alfred Chen (University of California, Irvine), Kentaro Yoshioka (Keio University)

Read More