Print Email Facebook Twitter Beyond obfuscation: Signature-based and relocation-resistant vulnerability detection in Uber JARs Title Beyond obfuscation: Signature-based and relocation-resistant vulnerability detection in Uber JARs Author Plămădeală, Dan (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Durieux, T. (mentor) Panichella, A. (graduation committee) Decouchant, Jérémie (graduation committee) Degree granting institution Delft University of Technology Programme Computer Science Date 2024-05-17 Abstract Software development often relies on dependencies managed by package managers to simplify the integration of external libraries and frameworks, reducing development time. However, developers sometimes choose to bundle dependencies directly within their software packages. Bundling dependencies means including all necessary third-party frameworks directly within the application's distributable archive, such as a JAR file, to ensure all components are present without needing external installations. This practice, resulting in Uber JARs (or fat JARs), presents both challenges and advantages within the Maven ecosystem. This project examines the prevalence, risks, and impact of Uber JARs by analyzing over 9 million POM files and 12 million JAR artifacts from Maven Central, identifying artifacts with previously undetected vulnerabilities. Notably, 10.48% of the analyzed artifacts, amounting to 915,089, fall under the category of Uber JARs, indicating a significant prevalence within the Maven repository. Central to this work, JarSift detects Uber JARs' contents, including the libraries, their versions, and vulnerabilities. JarSift's accuracy is demonstrated with an F1 score ranging from 0.474 to 0.857, depending on the Uber JAR configuration. Analysis reveals about 17.13% Uber JARs in a small-scale dataset contained undisclosed vulnerabilities, and 0.63% of all libraries in our dataset fully completely matched known vulnerable libraries. These findings highlight the need for better detection and mitigation strategies in the Maven ecosystem and inform developers of potential risks, helping them implement more robust security measures. Subject scasbomfingerprintingJavajar To reference this document use: http://resolver.tudelft.nl/uuid:2c07b46a-61ac-4474-8ba9-e433e35037eb Part of collection Student theses Document type master thesis Rights © 2024 Dan Plămădeală Files PDF MSc_Thesis_Beyond_Obfuscation.pdf 2.97 MB Close viewer /islandora/object/uuid:2c07b46a-61ac-4474-8ba9-e433e35037eb/datastream/OBJ/view