This program is tentative and subject to change.
Modern software development reuses third-party libraries to cut costs but may introduce vulnerabilities. A critical practice is to verify the security of third-party libraries against public vulnerability reports. Many automated methods have been proposed to identify vulnerable libraries from vulnerability reports. Existing methods are designed for the generic identification of vulnerable libraries, considering the security of all software libraries. Generic identification is inherently challenging, resulting in limited accuracy. However, organizations only consider the security of libraries they trust and use, by self-managing a library whitelist. Therefore, we propose LibGuard, a framework to adapt existing methods to help organizations secure the libraries they use. LibGuard supplies a library whitelist for existing methods and filters the results according to a threshold, facilitating the discovery of risks overlooked by organizations while controlling false alarms. LibGuard is implemented in two ways. The first attaches the whitelist after existing methods. The second integrates the whitelist into existing methods. We evaluated LibGuard using 5,107 vulnerability reports and the library whitelist built from 79 Google projects and 29 Huawei projects. The results show that the two implementations of LibGuard increase the average F1 score by 10.25% and 11.77%, respectively. Moreover, LibGuard performs stably during the extension of whitelists. To our knowledge, this paper is the first study dedicated to securing self-managed third-party libraries, offering insights into adapting generic software security management to self-managed contexts.
This program is tentative and subject to change.
Wed 19 NovDisplayed time zone: Seoul change
16:00 - 17:00 | |||
16:00 10mTalk | The Gold Digger in the Dark Forest: Industrial-Scale MEV Analysis in Ethereum Industry Showcase Ningyu He Hong Kong Polytechnic University, Tianyang Chi Beijing University of Posts and Telecommunications, Xiaohui Hu Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology | ||
16:10 10mTalk | RPG: Linux Kernel Fuzzing Guided by Distribution-Specific Runtime Parameter Interfaces Industry Showcase Yuhan Chen Central South Sniversity, Yuheng Shen Tsinghua University, Guoyu Yin Central South University, Fan Ding Central South Sniversity, Runzhe Wang Alibaba Group, Tao Ma Alibaba Group, Xiaohai Shi Alibaba Group, Qiang Fu Central South University, Ying Fu Tsinghua University, Heyuan Shi Central South University | ||
16:20 10mTalk | Securing Self-Managed Third-Party Libraries Industry Showcase Xin Zhou Nanjing University, Jinwei Xu Nanjing University, He Zhang Nanjing University, Yanjing Yang Nanjing University, Lanxin Yang Nanjing University, Bohan Liu Nanjing University, Hongshan Tang JD.com, Inc. | ||
16:30 10mTalk | STaint: Detecting Second-Order Vulnerabilities in PHP Applications with LLM-Assisted Bi-Directional Static Taint Analysis NIER Track Yuchen Ji ShanghaiTech University, Hongchen Cao ShanghaiTech University, Jingzhu He ShanghaiTech University | ||
16:40 10mTalk | AdaptiveGuard: Towards Adaptive Runtime Safety for LLM-Powered Software Industry Showcase Rui Yang Monash University and Transurban, Michael Fu The University of Melbourne, Kla Tantithamthavorn Monash University and Atlassian, Chetan Arora Monash University, Gunel Gulmammadova Transurban, Joey Chua Transurban | ||
16:50 10mTalk | CONFUSETAINT: Exploiting Vulnerabilities to Bypass Dynamic Taint Analysis NIER Track | ||