Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
80 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

A Survey of Third-Party Library Security Research in Application Software (2404.17955v1)

Published 27 Apr 2024 in cs.SE

Abstract: In the current software development environment, third-party libraries play a crucial role. They provide developers with rich functionality and convenient solutions, speeding up the pace and efficiency of software development. However, with the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent. Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information, posing a severe threat to software security. Research on third-party libraries in software becomes paramount to address this growing security challenge. Numerous research findings exist regarding third-party libraries' usage, ecosystem, detection, and fortification defenses. Understanding the usage and ecosystem of third-party libraries helps developers comprehend the potential risks they bring and select trustworthy libraries. Third-party library detection tools aid developers in automatically discovering third-party libraries in software, facilitating their management. In addition to detection, fortification defenses are also indispensable. This article profoundly investigates and analyzes this literature, summarizing current research achievements and future development directions. It aims to provide practical and valuable insights for developers and researchers, jointly promoting the healthy development of software ecosystems and better-protecting software from security threats.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (55)
  1. Synopsys. Open source security and risk analysis, 2023.
  2. Sok: Taxonomy of attacks on open-source software supply chains. In 2023 IEEE Symposium on Security and Privacy (SP), pages 1509–1526. IEEE, 2023.
  3. Sonatype. Q3 2021 state of the software supply chain report. www.sonatype.com/resources/state-of-the-software-supply-chain-2021, 2021.
  4. Google. Understanding the impact of apache log4j vulnerability. https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html, Feb 2022.
  5. Research on third-party libraries in android apps: A taxonomy and systematic literature review. IEEE Transactions on Software Engineering, 48(10):4181–4213, 2021.
  6. Heartbleed. The heartbleed bug. https://heartbleed.com/.
  7. An empirical study of usages, updates and risks of third-party libraries in java projects. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 35–45. IEEE, 2020.
  8. Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empirical Software Engineering, 26:1–34, 2021.
  9. Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities. Journal of Systems and Software, 172:110653, 2021.
  10. Open source software: an approach to controlling usage and risk in application ecosystems. In Proceedings of the 26th ACM International Systems and Software Product Line Conference-Volume A, pages 154–163, 2022.
  11. Towards better dependency management: A first look at dependency smells in python projects. IEEE Transactions on Software Engineering, 2022.
  12. An empirical analysis of the python package index (pypi). arXiv preprint arXiv:1907.11073, 2019.
  13. A large-scale security-oriented static analysis of python packages in pypi. In 2021 18th International Conference on Privacy, Security and Trust (PST), pages 1–10. IEEE, 2021.
  14. Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In Proceedings of the 44th International Conference on Software Engineering, pages 672–684, 2022.
  15. On the impact of security vulnerabilities in the npm and rubygems dependency networks. Empirical Software Engineering, 27(5):107, 2022.
  16. On the effect of transitivity and granularity on vulnerability propagation in the maven ecosystem. In 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 201–211. IEEE, 2023.
  17. Understanding the threats of upstream vulnerabilities to downstream projects in the maven ecosystem. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), pages 1046–1058. IEEE, 2023.
  18. Towards understanding third-party library dependency in c/c++ ecosystem. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, pages 1–12, 2022.
  19. A study of c/c++ code weaknesses on stack overflow. IEEE Transactions on Software Engineering, 48(7):2359–2375, 2021.
  20. Atvhunter: Reliable version detection of third-party libraries for vulnerability identification in android applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 1695–1707. IEEE, 2021.
  21. Libid: reliable identification of obfuscated third-party android libraries. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 55–65, 2019.
  22. Libsift: Automated detection of third-party libraries in android applications. In 2016 23rd Asia-Pacific Software Engineering Conference (APSEC), pages 41–48. IEEE, 2016.
  23. Detecting repackaged smartphone applications in third-party android marketplaces. In Proceedings of the second ACM conference on Data and Application Security and Privacy, pages 317–326, 2012.
  24. Droidapiminer: Mining api-level features for robust malware detection in android. In Security and Privacy in Communication Networks: 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25-28, 2013, Revised Selected Papers 9, pages 86–103. Springer, 2013.
  25. Attack of the clones: Detecting cloned applications on android markets. In Computer Security–ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings 17, pages 37–54. Springer, 2012.
  26. Detecting third-party libraries in android applications with high precision and recall. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 141–152. IEEE, 2018.
  27. Identify and inspect libraries in android applications. Wireless Personal Communications, 103:491–503, 2018.
  28. Libroad: Rapid, online, and accurate detection of tpls on android. IEEE Transactions on Mobile Computing, 21(1):167–180, 2020.
  29. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 356–367, 2016.
  30. Ordol: Obfuscation-resilient detection of libraries in android applications. In 2017 IEEE Trustcom/BigDataSE/ICESS, pages 618–625. IEEE, 2017.
  31. Scalably detecting third-party android libraries with two-stage bloom filtering. IEEE Transactions on Software Engineering, 49(4):2272–2284, 2022.
  32. Libdb: An effective and efficient framework for detecting third-party libraries in binaries. In Proceedings of the 19th International Conference on Mining Software Repositories, pages 423–434, 2022.
  33. Identifying open-source license violation and 1-day security risk at large scale. In Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security, pages 2169–2185, 2017.
  34. Modx: binary level partially imported third-party library detection via program modularization and semantic matching. In Proceedings of the 44th International Conference on Software Engineering, pages 1393–1405, 2022.
  35. B2sfinder: Detecting open-source software reuse in cots software. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 1038–1049. IEEE, 2019.
  36. Libdx: A cross-platform and accurate system to detect third-party libraries in binary code. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 104–115. IEEE, 2020.
  37. Libam: An area matching framework for detecting third-party libraries in binaries. ACM Transactions on Software Engineering and Methodology, 33(2):1–35, 2023.
  38. Déjàvu: a map of code duplicates on github. Proceedings of the ACM on Programming Languages, 1(OOPSLA):1–28, 2017.
  39. Centris: A precise and scalable approach for identifying modified open-source software reuse. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 860–872. IEEE, 2021.
  40. ilibscope: Reliable third-party library detection for ios mobile apps. arXiv preprint arXiv:2207.01837, 2022.
  41. Libradar: Fast and accurate detection of third-party libraries in android apps. In Proceedings of the 38th international conference on software engineering companion, pages 653–656, 2016.
  42. Libd: Scalable and precise third-party library detection in android markets. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), pages 335–346. IEEE, 2017.
  43. An empirical study of potentially malicious third-party libraries in android apps. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 144–154, 2020.
  44. Understanding and conquering the difficulties in identifying third-party libraries from millions of android apps. IEEE Transactions on Big Data, 8(6):1511–1523, 2021.
  45. Libhunter: An unsupervised approach for third-party library detection without prior knowledge. In 2022 IEEE Symposium on Computers and Communications (ISCC), pages 1–7. IEEE, 2022.
  46. Locating the security patches for disclosed oss vulnerabilities with vulnerability-commit correlation ranking. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 3282–3299, 2021.
  47. Finding a needle in a haystack: Automated mining of silent vulnerability fixes. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 705–716. IEEE, 2021.
  48. Vulcurator: a vulnerability-fixing commit detector. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 1726–1730, 2022.
  49. Tracking patches for open source software vulnerabilities. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 860–871, 2022.
  50. Precise and efficient patch presence test for android applications against code obfuscation. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 347–359, 2023.
  51. Breakapp: Automated, flexible application compartmentalization. In NDSS, 2018.
  52. Supply-chain vulnerability elimination via active learning and regeneration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 1755–1770, 2021.
  53. An empirical study of license violations in open source projects. In 2012 35th Annual IEEE Software Engineering Workshop, pages 168–176. IEEE, 2012.
  54. Lidetector: License incompatibility detection for open source software. ACM Transactions on Software Engineering and Methodology, 32(1):1–28, 2023.
  55. B2smatcher: fine-grained version identification of open-source software in binary files. Cybersecurity, 4:1–21, 2021.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (5)
  1. Jia Zeng (45 papers)
  2. Dan Han (11 papers)
  3. Yaling Zhu (4 papers)
  4. Yangzhong Wang (2 papers)
  5. Fangchen Weng (1 paper)
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets