research-article

Public Access

The extent of orphan vulnerabilities from code reuse in open source software

Authors:

David Reid,

Mahmoud Jahanshahi,

Audris MockusAuthors Info & Claims

ICSE '22: Proceedings of the 44th International Conference on Software Engineering

Pages 2104 - 2115

https://doi.org/10.1145/3510003.3510216

Published: 05 July 2022 Publication History

PDF eReader

Abstract

Motivation: A key premise of open source software is the ability to copy code to other open source projects (white-box reuse). Such copying accelerates development of new projects, but the code flaws in the original projects, such as vulnerabilities, may also spread even if fixed in the projects from where the code was appropriated. The extent of the spread of vulnerabilities through code reuse, the potential impact of such spread, or avenues for mitigating risk of these secondary vulnerabilities has not been studied in the context of a nearly complete collection of open source code.

Aim: We aim to find ways to detect the white-box reuse induced vulnerabilities, determine how prevalent they are, and explore how they may be addressed.

Method: We rely on World of Code infrastructure that provides a curated and cross-referenced collection of nearly all open source software to conduct a case study of a few known vulnerabilities. To conduct our case study we develop a tool, VDiOS, to help identify and fix white-box-reuse-induced vulnerabilities that have been already patched in the original projects (orphan vulnerabilities).

Results: We find numerous instances of orphan vulnerabilities even in currently active and in highly popular projects (over 1K stars). Even apparently inactive projects are still publicly available for others to use and spread the vulnerability further. The often long delay in fixing orphan vulnerabilities even in highly popular projects increases the chances of it spreading to new projects. We provided patches to a number of project maintainers and found that only a small percentage accepted and applied the patch. We hope that VDiOS will lead to further study and mitigation of risks from orphan vulnerabilities and other orphan code flaws.

References

[1]

Sultan S. Alqahtani, Ellis E. Eghan, and Juergen Rilling. 2016. SV-AF --- A Security Vulnerability Analysis Framework. In 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE). 219--229.

Abstract

References

Cited By

Index Terms

Recommendations

Tracking patches for open source software vulnerabilities

CVEfixes: automated collection of vulnerabilities and their fixes from open-source software

On code reuse from StackOverflow

Comments

Information

Published In

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations