SaTC: Securing Software with Vulnerable Dependencies

Abstract

Software is at the very center of today's society, permeating commerce, transportation, information exchange, and entertainment. Today's software is rarely written from scratch and is frequently dependent on a large ecosystem of open source libraries and tools. As a result, a single vulnerability in a library often has a cascading effect, resulting in corresponding vulnerabilities in the many software systems and applications that depend on it. The goal of this project is to aid software developers in identifying and updating vulnerable dependencies through the creation of methods that detect, measure, and remediate a software project's use of external, open source software with security flaws. As part of achieving this goal, the investigators will develop the first global vulnerable-dependency graph to characterize the problem within the broader open source ecosystem. The creation of this global vulnerable-dependency graph depends on addressing two key research challenges. First, software dependencies exist in many forms, ranging from clear listings in package manifests to copies of external libraries added to a software project's code repository. Second, not all vulnerability fixes are announced. Developers often discover and fix vulnerabilities without issuing an announcement (or perhaps even without knowing a vulnerability was fixed). This project will address these challenges through novel application of static program analysis and text analytics. These techniques will scalably recover software dependencies, mapping both publicly known vulnerabilities as well as discovered silent vulnerability fixes to individual versions of software libraries and tools.