Scalable techniques for risk assessment of open-source libraries
Due to the growing reliance on open-source libraries and the constant emergence of new vulnerabilities, timely replacement of vulnerable versions is essential to mitigate the risk of cyberattacks. Moreover, the replacement process must prioritise the vulnerable versions posing highest risks. This ne...
Saved in:
Main Author: | |
---|---|
Other Authors: | |
Format: | Thesis-Master by Research |
Language: | English |
Published: |
Nanyang Technological University
2024
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/173692 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
Summary: | Due to the growing reliance on open-source libraries and the constant emergence of new vulnerabilities, timely replacement of vulnerable versions is essential to mitigate the risk of cyberattacks. Moreover, the replacement process must prioritise the vulnerable versions posing highest risks. This necessitates the need to devise a rapid method to rank the risks associated with the vulnerable versions in an application, thereby prioritising the replacement of most critical vulnerable versions.
An efficient version-level pruning technique has been proposed to lower the complexity of function-level static analysis. The pruning approach relies on tailoring to relevant versions across diverse applications that encompass multiple vulnerable components. Investigations on popular libraries (e.g., urllib3, pyyaml, requests) revealed substantial improvements, resulting in a reduction of over 88.71% in the number of versions. In addition, unlike widely used commercial tool (Snyk), the proposed method has led to a reduction of over 69.23% in the time taken to retrieve the version level dependency tree. The proposed version pruning method has led to notable improvement at the function level analysis. It was observed that call graph generation time was reduced by more than 72.41% as a result of over 75.31% reduction in the number of nodes and over 79.40% reduction in the number of edges.
Next, an application-aware sub-setting of reachable paths to vulnerable components was proposed to demonstrate an improvement of over 25% compared to version level method in identifying reachable vulnerable components. The percentage of reachable functions among the total functions is remarkably low, ranging from 0.09% to 1.08%, thereby resulting in a targeted approach to realize a rapid vulnerability assessment technique.
Reachable paths were relied upon to facilitate a targeted dynamic analysis to surpass static limitations in dynamic languages. The proposed Hop-Based approach iteratively estimates new reachable paths from dynamic functions. It was shown that realistic risk estimation at high-speed is possible by imposing a maximum hop limit. Investigations confirm that the high-risk dynamic functions contribute to the determinism and accurate estimation of reachable paths, unseen during the static analysis, ultimately resulting in a significant augmentation on the risk posed by vulnerable components. Technique based on the neighbourhood density of dynamic function was also introduced to further enhance the risk assessment accuracy. Introduction of dynamic analysis has provided for a more realistic estimation and yet a highly responsive vulnerability assessment technique, highlighting dynamic functions' impact on risk estimation. Moreover, it emphasizes dynamic functions' significance in reachability analysis, categorizing them by risk levels.
Incremental techniques for adapting the proposed vulnerability assessment method to cope with the rapid emergence of new vulnerabilities, have been proposed next to facilitate a real-time vulnerability assessment method by maintaining an updated dependency-vulnerability graph. Incremental analysis detects changes impacting reachability and risk assessment in new versions. The proposed techniques lend well for efficient inclusion of evolving vulnerabilities for vulnerability re-assessment while improving analysis efficiency.
The proposed techniques for vulnerability assessment and risk ranking have been integrated into a systematic framework to equip developers to navigate evolving software vulnerabilities effectively, sustaining application security and stability. The framework employs incremental analysis for existing versions and complete analysis for new libraries at both version and function levels. Finally, contributions made in this thesis have paved the way for a real-time risk assessment of applications associated with vulnerable open-source library versions. |
---|