Vulnerability Risk Modelling in Open Source Software Systems

More Info
expand_more

Abstract

Recent large scale cyber security incidents such as the Equifax data breach, where the personal information of around 160 million Americans leaked, demonstrate the current risk of security vulnerabilities libraries which software projects depend on.
The usage of libraries forms an integral part of modern software development and is a widespread practice across software projects.
Libraries make it possible to use proven implementations of certain functionalities without duplicating it.
However, this means the usage of libraries creates a set of dependencies for software projects.
While using libraries allows for increased development speeds by reusing existing code, these dependencies can also propagate problems which exist in dependencies.
Therefore, a security vulnerability in a dependency can have a major impact on the software project as a whole.

Currently, there are analysers which perform a high level analysis which can identify vulnerable dependencies.
However, these analysers are limited to the package level, where either a whole library is considered vulnerable or safe.
In reality, the situation is often more nuanced, where only certain functions of a library pose a security risk.
Considering the growing number of dependencies of software projects and the increasing number of vulnerability disclosure, the dependency update management process is currently a difficult task.

Therefor a more fine-grained type of analysis could help developers in identifying and mitigating actual security risks.
In this thesis, we propose a new risk modelling approach which uses fine grained analysis to concentrate these efforts as best as possible and increase security of software applications.
Further we perform an extensive evaluation to compare it to existing risk approaches to investigate the accuracy of the proposed approach.
We find that the new risk model is more accurate in prioritising risk mitigation strategies, with an average increase of 8% of current state of the art risk models.
The model does require function level vulnerability information which does not exist for all disclosed vulnerabilities and is an active area of research.