Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries

Mobile application developers rely heavily on opensource software (OSS) to offload common functionalities such as the implementation of protocols and media format playback. Over the past years, several vulnerabilities have been found in popular open-source libraries like OpenSSL and FFmpeg. Mobile applications that include such libraries inherit these flaws, which make them vulnerable. Fortunately, the open-source community is responsive and patches are made available within days. However, mobile application developers are often left unaware of these flaws. The App Security Improvement Program (ASIP) is a commendable effort by Google to notify application developers of these flaws, but recent work has shown that many developers do not act on this information. Our work addresses vulnerable mobile applications through automatic binary patching from source patches provided by the OSS maintainers and without involving the developers. We propose novel techniques to overcome difficult challenges like patching feasibility analysis, source-code-to-binary-code matching, and in-memory patching. Our technique uses a novel variabilityaware approach, which we implement as OSSPATCHER. We evaluated OSSPATCHER with 39 OSS and a collection of 1,000 Android applications using their vulnerable versions. OSSPATCHER generated 675 function-level patches that fixed the affected mobile applications without breaking their binary code. Further, we evaluated 10 vulnerabilities in popular apps such as Chrome with public exploits, which OSSPATCHER was able to mitigate and thwart their exploitation.

[1]  Kenneth W. Martin,et al.  Mastering CMake: A Cross-Platform Build System , 2008 .

[2]  Sven Apel,et al.  Discipline Matters: Refactoring of Preprocessor Directives in the #ifdef Hell , 2018, IEEE Transactions on Software Engineering.

[3]  Erik Derr,et al.  Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android , 2017, CCS.

[4]  Fan Long,et al.  Automatic patch generation by learning correct code , 2016, POPL.

[5]  Yan Shoshitaishvili,et al.  Angr - The Next Generation of Binary Analysis , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[6]  Yulong Zhang,et al.  Adaptive Android Kernel Live Patching , 2017, USENIX Security Symposium.

[7]  William K. Robertson,et al.  PatchDroid: scalable third-party security patches for Android devices , 2013, ACSAC.

[8]  Claire Le Goues,et al.  GenProg: A Generic Method for Automatic Software Repair , 2012, IEEE Transactions on Software Engineering.

[9]  Juanru Li,et al.  Embroidery: Patching Vulnerable Binary Code of Fragmentized Android Devices , 2017, 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[10]  濱野 純 入門Git : The fast version control system , 2009 .

[11]  Richard Johnson,et al.  Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization , 2003 .

[12]  Vern Paxson,et al.  A Large-Scale Empirical Study of Security Patches , 2017, CCS.

[13]  Thomas Leich,et al.  TypeChef: toward type checking #ifdef variability in C , 2010, FOSD '10.

[14]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[15]  Westley Weimer,et al.  Repairing COTS Router Firmware without Access to Source Code or Test Suites: A Case Study in Evolutionary Software Repair , 2015, GECCO.

[16]  M. Frans Kaashoek,et al.  Ksplice: automatic rebootless kernel updates , 2009, EuroSys '09.

[17]  Kostya Serebryany,et al.  OSS-Fuzz - Google's continuous fuzzing service for open source software , 2017 .

[18]  Zhi Wang,et al.  InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android , 2018, NDSS.

[19]  Daniel Lohmann,et al.  Analyzing the Impact of Feature Changes in Linux , 2016, VaMoS.

[20]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[21]  Sven Apel,et al.  Scalable analysis of variable software , 2013, ESEC/FSE 2013.

[22]  David J. Musliner,et al.  Automatically Repairing Stripped Executables with CFG Microsurgery , 2015, 2015 IEEE International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[23]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[24]  Heejo Lee,et al.  VUDDY: A Scalable Approach for Vulnerable Code Clone Discovery , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[25]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[26]  Westley Weimer,et al.  Automated repair of binary and assembly programs for cooperating embedded devices , 2013, ASPLOS '13.

[27]  Xiangyu Zhang,et al.  BISTRO: Binary Component Extraction and Embedding for Software Security Applications , 2013, ESORICS.

[28]  Hang Zhang,et al.  Precise and Accurate Patch Presence Test for Binaries , 2018, USENIX Security Symposium.

[29]  Julia L. Lawall,et al.  Semantic patches for documenting and automating collateral evolutions in Linux device drivers , 2006, PLOS '06.

[30]  Le Song,et al.  Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection , 2018 .

[31]  Charles Zhang,et al.  Axis: Automatically fixing atomicity violations through solving control constraints , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[32]  Westley Weimer,et al.  Automated program repair through the evolution of assembly code , 2010, ASE.

[33]  Byung-Chul Tak,et al.  Understanding Security Implications of Using Containers in the Cloud , 2017, USENIX Annual Technical Conference.

[34]  Shan Lu,et al.  Automated atomicity-violation fixing , 2011, PLDI '11.

[35]  Stephen R. Davis,et al.  The C++ Preprocessor , 2011 .

[36]  Eric Lahtinen,et al.  Automatic error elimination by horizontal code transfer across multiple applications , 2015, PLDI.

[37]  S. She,et al.  Formal Semantics of the Kconfig Language Technical Note , 2010 .

[38]  Jaechang Nam,et al.  Automatic patch generation learned from human-written patches , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[39]  William Enck,et al.  A Study of Security Vulnerabilities on Docker Hub , 2017, CODASPY.

[40]  Christopher Krügel,et al.  Ramblr: Making Reassembly Great Again , 2017, NDSS.

[41]  Michael D. Ernst,et al.  Automatically patching errors in deployed software , 2009, SOSP '09.

[42]  Heng Yin,et al.  Scalable Graph-based Bug Search for Firmware Images , 2016, CCS.

[43]  Christian Kastner Differential Testing for Variational Analyses: Experience from Developing KConfigReader , 2017 .

[44]  Sebastian Erdweg,et al.  Variability-aware parsing in the presence of lexical macros and conditional compilation , 2011, OOPSLA '11.

[45]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[46]  Eric Lahtinen,et al.  CodeCarbonCopy , 2017, ESEC/SIGSOFT FSE.

[47]  Mohsen Guizani,et al.  AutoPatchDroid: A framework for patching inter-app vulnerabilities in android application , 2017, 2017 IEEE International Conference on Communications (ICC).

[48]  Khaled Yakdan,et al.  discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code , 2016, NDSS.

[49]  Wenke Lee,et al.  Identifying Open-Source License Violation and 1-day Security Risk at Large Scale , 2017, CCS.

[50]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[51]  Richard M. Stallman,et al.  Using The Gnu Compiler Collection: A Gnu Manual For Gcc Version 4.3.3 , 2009 .

[52]  Shirley M. Radack,et al.  National Vulnerability Database: Helping Information Technology System Users and Developers Find Current Information about Cyber Security Vulnerabilities | NIST , 2005 .