par Durmaz, Fatih 
Promoteur Mühlberg, Jan Tobias
;Portokalidis, Georgios G.P.
Publication Non publié, 2024-09-03
Promoteur Mühlberg, Jan Tobias
;Portokalidis, Georgios G.P.Publication Non publié, 2024-09-03
Mémoire
| Résumé : | This thesis addresses the challenge of identifying inactive vulnerabilities in shared libraries, which frequently emerge as a result of code bloat. As developers increasingly rely on shared libraries to speed up software development, these libraries have grown to encompass numerous features, some of which may inadvertently introduce vulnerabilities. These vulnerabilities can significantly impact the patching behavior of software, particularly when they exist within shared libraries. A vulnerability in a shared library can prompt hasty patching, potentially leading to more severe issues. However, due to the inherent complexity of shared libraries, vulnerabilities can reside in unused code. While these vulnerabilities are present in the code, they may not pose an immediate threat if they are not actively invoked by the application. To address the identification of such vulnerabilities, this research introduces exttt{libsec}, a static analysis tool designed to detect inactive vulnerabilities within shared libraries. exttt{libsec} identifies which vulnerabilities are actually invoked within an application's call graph. This distinction enables a more accurate assessment of real security risks. The tool was tested on the Ubuntu 20.04 main repository, revealing that approximately 52% of function-name-mentioned vulnerabilities exist in the dormant code of shared libraries. However, only about 14% of the library-dependent binary packages were actually affected by these vulnerabilities, highlighting the critical need for targeted identification efforts. |
