Open Source Component Version Recognition Without Version Strings
DOI:
Author:
Affiliation:

Clc Number:

Fund Project:

National Key R&D Program of China (2018YFB0803402); National Natural Science Foundation of China (U1536107); Fundamental Theory and Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Y7Z0311104)

  • Article
  • |
  • Figures
  • |
  • Metrics
  • |
  • Reference
  • |
  • Related
  • |
  • Cited by
  • |
  • Materials
  • |
  • Comments
    Abstract:

    Due to the extensive use of code reuse and third-party SDKs, open source components are ubiquitous in IoT device firmware. The security vulnerabilities which cause threat to the firmware usually exist in some specific versions of the components. The version information identification of open source binary components in the IoT firmware is of great significance for the safety assessment and emergency response of IoT devices. The existing version string based version extraction method is not applicable to the cases with missing version strings. This paper designs and implements a version extraction method (termed as Protues) for open source components that does not depend on version strings. The core idea of this method is to construct a version difference chain by using the differences between the open source components' neighboring versions of the source code to convert the version identification problem into a query on the version difference chain. Furthermore, in order to improve the recognition accuracy, the conditional judgment expressions are used in this paper to represent the nodes on the version difference chain. To verify the practicability of this method, version identification experiments are performed on a total number of 428 binary files from 4 kinds of open source components Samba, Msmtp, Nginx and Libgcrupt. The experimental results show that the number of versions that can be accurately identified by this method reaches 418, and the recognition accuracy rate is 98%.

    Reference
    Related
    Cited by
Get Citation

张卫东,尹丽波,李红,文辉,孙利民.不依赖版本字符串的开源组件版本识别.软件学报,2018,29(S1):83-91

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:May 01,2018
  • Revised:
  • Adopted:
  • Online: November 13,2018
  • Published:
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063