【摘 要】
:
Codes of Open Source Software(OSS)are widely reused during software development nowadays.However,reusing some specific versions of OSS introduces 1-day vulnerabilities of which details are publicly available,which may be exploited and lead to serious secu
【机 构】
:
Institute of Information Engineering,Chinese Academy of Sciences,Beijing,China;School of Cyber Secur
论文部分内容阅读
Codes of Open Source Software(OSS)are widely reused during software development nowadays.However,reusing some specific versions of OSS introduces 1-day vulnerabilities of which details are publicly available,which may be exploited and lead to serious security issues.Existing state-of-the-art OSS reuse detection work can not identify the specific versions of reused OSS well.The features they selected are not distinguishable enough for version detection and the matching scores are only based on similarity.This paper presents B2SMatcher,a fine-grained version identification tool for OSS in commercial off-the-shelf(COTS)software.We first discuss five kinds of version-sensitive code features that are trackable in both binary and source code.We categorize these features into program-level features and function-level features and propose a two-stage version identification approach based on the two levels of code features.B2SMatcher also identifies different types of OSS version reuse based on matching scores and matched feature instances.In order to extract source code features as accurately as possible,B2SMatcher innovatively uses machine learning methods to obtain the source files involved in the compilation and uses function abstraction and normalization methods to eliminate the comparison costs on redundant functions across versions.We have evaluated B2SMatcher using 6351 candidate OSS versions and 585 binaries.The result shows that B2SMatcher achieves a high precision up to 89.2%and outperforms state-of-the-art tools.Finally,we show how B2SMatcher can be used to evaluate real-world software and find some security risks in practice.
其他文献
Due to its provable security and remarkable device-independence,masking has been widely accepted as a noteworthy algorithmic-level countermeasure against side-channel attacks.However,relatively high cost of masking severely limits its applicability.Consid
近年来,近红外二区荧光显影技术已在临床应用获得进展。与近红外一区荧光显影技术比较,其在显现肝脏肿瘤和胆道系统中具有更高成像质量、肿瘤敏感性和深层显像能力。近红外二区荧光显影技术作为一种能够提供高信背比和更深组织穿透等特性的术中实时影像技术,能够在提高手术安全性和治疗效果的同时缩短手术时间,具有良好发展前景和拓展潜力。随着新型染料的开发,这项技术能够在肝癌靶向成像、胆管灌注评估和远端胆总管显像等方面发挥更大作用。笔者就近红外二区荧光显影技术应用于肝胆外科的研究进展进行综述。“,”Near infrared
In recent years,the widespread applications of open-source software(OSS)have brought great convenience for software developers.However,it is always facing unavoidable security risks,such as open-source code defects and security vulnerabilities.To find out
Malware analysis is a task of utmost importance in cyber-security.Two approaches exist for malware analysis:static and dynamic.Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools.Current dynamic analysis solution
腹腔感染常继发于腹腔中各类器官的损伤或病变,或者发生于腹部手术后。随着营养支持理念和技术的不断发展,营养支持逐渐成为腹腔感染病人治疗的重要手段之一。腹腔感染的综合治疗包括感染源控制、合理抗感染治疗、器官功能支持、营养治疗、免疫调理等。笔者回溯国内外相关研究成果,结合团队临床经验,对腹腔感染的营养支持策略进行分析和阐述。“,”Intra-abdominal infection is often secondary to the injury or lesion of various organs in th
Social engineering has posed a serious threat to cyberspace security.To protect against social engineering attacks,a fundamental work is to know what constitutes social engineering.This paper first develops a domain ontology of social engineering in cyber
SOHO(small office/home office)routers provide services for end devices to connect to the Internet,playing an important role in cyberspace.Unfortunately,security vulnerabilities pervasively exist in these routers,especially in the web server modules,greatl
With the ever-growing data and the need for developing powerful machine learning models,data owners increasingly depend on various untrusted platforms(e.g.,public clouds,edges,and machine learning service providers)for scalable processing or collaborative
Long-term prediction is still a difficult problem in data mining.People usually use various kinds of methods of Recurrent Neural Network to predict.However,with the increase of the prediction step,the accuracy of prediction decreases rapidly.In order to i
Tackling binary program analysis problems has traditionally implied manually defining rules and heuristics,a tedious and time consuming task for human analysts.In order to improve automation and scalability,we propose an alternative direction based on dis