Please use this identifier to cite or link to this item:
https://hdl.handle.net/10356/173692
Title: | Scalable techniques for risk assessment of open-source libraries | Authors: | Badyal, Nirvi | Keywords: | Engineering | Issue Date: | 2023 | Publisher: | Nanyang Technological University | Source: | Badyal, N. (2023). Scalable techniques for risk assessment of open-source libraries. Master's thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/173692 | Abstract: | Due to the growing reliance on open-source libraries and the constant emergence of new vulnerabilities, timely replacement of vulnerable versions is essential to mitigate the risk of cyberattacks. Moreover, the replacement process must prioritise the vulnerable versions posing highest risks. This necessitates the need to devise a rapid method to rank the risks associated with the vulnerable versions in an application, thereby prioritising the replacement of most critical vulnerable versions. An efficient version-level pruning technique has been proposed to lower the complexity of function-level static analysis. The pruning approach relies on tailoring to relevant versions across diverse applications that encompass multiple vulnerable components. Investigations on popular libraries (e.g., urllib3, pyyaml, requests) revealed substantial improvements, resulting in a reduction of over 88.71% in the number of versions. In addition, unlike widely used commercial tool (Snyk), the proposed method has led to a reduction of over 69.23% in the time taken to retrieve the version level dependency tree. The proposed version pruning method has led to notable improvement at the function level analysis. It was observed that call graph generation time was reduced by more than 72.41% as a result of over 75.31% reduction in the number of nodes and over 79.40% reduction in the number of edges. Next, an application-aware sub-setting of reachable paths to vulnerable components was proposed to demonstrate an improvement of over 25% compared to version level method in identifying reachable vulnerable components. The percentage of reachable functions among the total functions is remarkably low, ranging from 0.09% to 1.08%, thereby resulting in a targeted approach to realize a rapid vulnerability assessment technique. Reachable paths were relied upon to facilitate a targeted dynamic analysis to surpass static limitations in dynamic languages. The proposed Hop-Based approach iteratively estimates new reachable paths from dynamic functions. It was shown that realistic risk estimation at high-speed is possible by imposing a maximum hop limit. Investigations confirm that the high-risk dynamic functions contribute to the determinism and accurate estimation of reachable paths, unseen during the static analysis, ultimately resulting in a significant augmentation on the risk posed by vulnerable components. Technique based on the neighbourhood density of dynamic function was also introduced to further enhance the risk assessment accuracy. Introduction of dynamic analysis has provided for a more realistic estimation and yet a highly responsive vulnerability assessment technique, highlighting dynamic functions' impact on risk estimation. Moreover, it emphasizes dynamic functions' significance in reachability analysis, categorizing them by risk levels. Incremental techniques for adapting the proposed vulnerability assessment method to cope with the rapid emergence of new vulnerabilities, have been proposed next to facilitate a real-time vulnerability assessment method by maintaining an updated dependency-vulnerability graph. Incremental analysis detects changes impacting reachability and risk assessment in new versions. The proposed techniques lend well for efficient inclusion of evolving vulnerabilities for vulnerability re-assessment while improving analysis efficiency. The proposed techniques for vulnerability assessment and risk ranking have been integrated into a systematic framework to equip developers to navigate evolving software vulnerabilities effectively, sustaining application security and stability. The framework employs incremental analysis for existing versions and complete analysis for new libraries at both version and function levels. Finally, contributions made in this thesis have paved the way for a real-time risk assessment of applications associated with vulnerable open-source library versions. | URI: | https://hdl.handle.net/10356/173692 | DOI: | 10.32657/10356/173692 | Schools: | School of Computer Science and Engineering | Rights: | This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License (CC BY-NC 4.0). | Fulltext Permission: | open | Fulltext Availability: | With Fulltext |
Appears in Collections: | SCSE Theses |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
thesis.pdf | 1.79 MB | Adobe PDF | View/Open |
Page view(s)
324
Updated on Oct 6, 2024
Download(s) 50
170
Updated on Oct 6, 2024
Google ScholarTM
Check
Altmetric
Items in DR-NTU are protected by copyright, with all rights reserved, unless otherwise indicated.