Research on PoC Refactoring of Third-party Library in Heterogeneous Environment
Vulnerabilities in third-party libraries are widely propagated to host applications(software that using third-party libra-ries),and developers of host applications usually fail to fix these vulnerabilities in a timely manner,which easily leads to security problems.In order to explore the impact of t...
| Main Author: | |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Editorial office of Computer Science
2023-04-01
|
| Series: | Jisuanji kexue |
| Subjects: | |
| Online Access: | https://www.jsjkx.com/fileup/1002-137X/PDF/1002-137X-2023-50-4-277.pdf |
| _version_ | 1827965396572962816 |
|---|---|
| author | SONG Wenkai, YOU Wei, LIANG Bin, HUANG Jianjun, SHI Wenchang |
| author_facet | SONG Wenkai, YOU Wei, LIANG Bin, HUANG Jianjun, SHI Wenchang |
| author_sort | SONG Wenkai, YOU Wei, LIANG Bin, HUANG Jianjun, SHI Wenchang |
| collection | DOAJ |
| description | Vulnerabilities in third-party libraries are widely propagated to host applications(software that using third-party libra-ries),and developers of host applications usually fail to fix these vulnerabilities in a timely manner,which easily leads to security problems.In order to explore the impact of third-party library vulnerabilities on the host applications,it is particularly important to effectively verify whether the vulnerabilities propagated to the host application can still be triggered.The latest research applies taint analysis and symbolic execution to transform the PoC of third-party libraries to make it suitable for host applications.However,there are often differences between the test environment of the third-party library and the real environment of the host application (they are heterogeneous environments),so that the PoC transformed by the above method is still difficult to apply to the host application.To solve the above problems,a method for PoC refactoring in heterogeneous environment is proposed,which can be divided into four steps.Firstly,we exeract the execution traces in the third-party library test environment and the host application environment respectively when the original PoC is input.Secondly,we compare and analyze the two traces obtained in the first step to identify differences.Thirdly,we analyze codes at difference points to identify the key variables that cause the diffe-rences.Finally,we locate the key fields in the PoC that can affect the state of key variables,by mutating the key fields of the PoC,we try to modify the state of the key variables and align the difference paths,guide the execution flow of the host application to reach the vulnerability code,and eventually we complete the refactoring of the PoC.Experiments are carried out on 11 real-world PoCs,and the experimental results show that the proposed method can successfully verify the triggerability of the propagated vu-lnerability in the host application in a heterogeneous environment. |
| first_indexed | 2024-04-09T17:32:22Z |
| format | Article |
| id | doaj.art-4fb0be9b2e8e4dfe85e380e01492a564 |
| institution | Directory Open Access Journal |
| issn | 1002-137X |
| language | zho |
| last_indexed | 2024-04-09T17:32:22Z |
| publishDate | 2023-04-01 |
| publisher | Editorial office of Computer Science |
| record_format | Article |
| series | Jisuanji kexue |
| spelling | doaj.art-4fb0be9b2e8e4dfe85e380e01492a5642023-04-18T02:33:33ZzhoEditorial office of Computer ScienceJisuanji kexue1002-137X2023-04-0150427728710.11896/jsjkx.220500092Research on PoC Refactoring of Third-party Library in Heterogeneous EnvironmentSONG Wenkai, YOU Wei, LIANG Bin, HUANG Jianjun, SHI Wenchang0School of Information,Renmin University of China,Beijing 100872,ChinaVulnerabilities in third-party libraries are widely propagated to host applications(software that using third-party libra-ries),and developers of host applications usually fail to fix these vulnerabilities in a timely manner,which easily leads to security problems.In order to explore the impact of third-party library vulnerabilities on the host applications,it is particularly important to effectively verify whether the vulnerabilities propagated to the host application can still be triggered.The latest research applies taint analysis and symbolic execution to transform the PoC of third-party libraries to make it suitable for host applications.However,there are often differences between the test environment of the third-party library and the real environment of the host application (they are heterogeneous environments),so that the PoC transformed by the above method is still difficult to apply to the host application.To solve the above problems,a method for PoC refactoring in heterogeneous environment is proposed,which can be divided into four steps.Firstly,we exeract the execution traces in the third-party library test environment and the host application environment respectively when the original PoC is input.Secondly,we compare and analyze the two traces obtained in the first step to identify differences.Thirdly,we analyze codes at difference points to identify the key variables that cause the diffe-rences.Finally,we locate the key fields in the PoC that can affect the state of key variables,by mutating the key fields of the PoC,we try to modify the state of the key variables and align the difference paths,guide the execution flow of the host application to reach the vulnerability code,and eventually we complete the refactoring of the PoC.Experiments are carried out on 11 real-world PoCs,and the experimental results show that the proposed method can successfully verify the triggerability of the propagated vu-lnerability in the host application in a heterogeneous environment.https://www.jsjkx.com/fileup/1002-137X/PDF/1002-137X-2023-50-4-277.pdfpoc|third-party library|heterogeneous environments|refactoring |
| spellingShingle | SONG Wenkai, YOU Wei, LIANG Bin, HUANG Jianjun, SHI Wenchang Research on PoC Refactoring of Third-party Library in Heterogeneous Environment Jisuanji kexue poc|third-party library|heterogeneous environments|refactoring |
| title | Research on PoC Refactoring of Third-party Library in Heterogeneous Environment |
| title_full | Research on PoC Refactoring of Third-party Library in Heterogeneous Environment |
| title_fullStr | Research on PoC Refactoring of Third-party Library in Heterogeneous Environment |
| title_full_unstemmed | Research on PoC Refactoring of Third-party Library in Heterogeneous Environment |
| title_short | Research on PoC Refactoring of Third-party Library in Heterogeneous Environment |
| title_sort | research on poc refactoring of third party library in heterogeneous environment |
| topic | poc|third-party library|heterogeneous environments|refactoring |
| url | https://www.jsjkx.com/fileup/1002-137X/PDF/1002-137X-2023-50-4-277.pdf |
| work_keys_str_mv | AT songwenkaiyouweiliangbinhuangjianjunshiwenchang researchonpocrefactoringofthirdpartylibraryinheterogeneousenvironment |