Freely accessible computer programmes that users are allowed to download, modify and distribute - this is what so-called "open source software" is all about. Developers make use of this to obtain individual software modules for new applications from a database instead of developing them themselves from scratch. The problem is that vulnerabilities repeatedly occur in the freely accessible content, which increases the risk of malware. In order to minimise this risk, scientists from the Institute of Computer Science and the Heinz Nixdorf Institute at Paderborn University have joined forces with the software company SAP SE for a research project. Among other things, the experts have developed tools that can recognise and remove vulnerabilities even with previously insufficient information. The three-year project was funded by the German Research Foundation (DFG) with almost 500,000 euros.
Reducing the risk of malware
"Open source libraries are very widespread in modern software development. Although there are good reasons for this, public access also gives potential attackers insight into parts of the underlying code. This allows them to find vulnerabilities that they can exploit for cyber attacks," explains Jonas Klauke, research associate at the Paderborn "Secure Software Engineering" specialist group. The good news is that these vulnerabilities are also found by the open source community, reported and repaired in a new version of the library. Klauke explains: "To close the vulnerabilities in the applications, the library used must be updated to the repaired version. To do this, the developers need to be informed. This is done using tools that recognise libraries with vulnerabilities. The problem is that these tools are often inaccurate. That's why we have been researching an automated process that supports developers in fixing affected libraries." The aim is to close security gaps quickly and easily.
"UpCy" is already freely available
The declared aim of the project was to develop tools that can recognise vulnerabilities in open source applications even with insufficient information. This resulted in two tools, one of which is already publicly available. "The first is a scanner that makes it possible to detect libraries with vulnerabilities that are actively used in applications. As updating libraries involves some changes, the programme often has to be adapted to the new version. This effort can be reduced by focussing the update on the libraries with vulnerabilities that are in use," says Klauke. The second tool developed, called "UpCy", helps users to automatically update the affected libraries by finding new versions of libraries whose updates do not cause complications. While the scanner is still being worked on, users can already use "UpCy".
Finding vulnerabilities in open source software without the source code
There are already tools that recognise vulnerabilities in open source software, but only if the metadata or "source code" is available. "This is written in a human-readable programming language and is translated into machine code to make the application executable on the computer. However, the source code cannot always be precisely assigned to the respective version of the library. If the metadata is also missing, libraries with potential vulnerabilities are overlooked," says Klauke. With the help of the developed process chain, these libraries can now also be recognised if neither metadata nor a direct link to the original source code exists.
Further information can be found here.
