Ruian Duan (Georgia Institute of Technology), Ashish Bijlani (Georgia Institute of Technology), Yang Ji (Georgia Institute of Technology), Omar Alrawi (Georgia Institute of Technology), Yiyuan Xiong (Peking University), Moses Ike (Georgia Institute of Technology), Brendan Saltaformaggio (Georgia Institute of Technology), Wenke Lee (Georgia Institute of Technology)

Mobile application developers rely heavily on open-source software (OSS)
to offload common functionalities such as the implementation of
protocols and media format playback. Over the past years, several
vulnerabilities have been found in popular open-source libraries like
OpenSSL and FFmpeg. Mobile applications that include such libraries
inherit these flaws, which make them vulnerable. Fortunately, the
open-source community is responsive and patches are made available
within days. However, mobile application developers are often left
unaware of these flaws. The App Security Improvement Program (ASIP) is
a commendable effort by Google to notify application developers of these
flaws, but recent work has shown that many developers do not act on this
information.

Our work addresses vulnerable mobile applications through automatic
binary patching from source patches provided by the OSS maintainers and
without involving the developers. We propose novel techniques to
overcome difficult challenges like patching feasibility analysis,
source-code-to-binary-code matching, and in-memory patching. Our
technique uses a novel variability-aware approach, which we implement as
OSSPatcher. We evaluated OSSPatcher with 39 OSS and a collection of
1,000 Android applications using their vulnerable versions. OSSPatcher
generated 675 function-level patches that fixed the affected mobile
applications without breaking their binary code. Further, we evaluated
10 vulnerabilities in popular apps such as Chrome with public exploits,
which OSSPatcher was able to mitigate and thwart their exploitation.

View More Papers

Measuring the Facebook Advertising Ecosystem

Athanasios Andreou (EURECOM), Márcio Silva (UFMG), Fabrício Benevenuto (UFMG), Oana Goga (Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG), Patrick Loiseau (Univ. Grenoble Alpes, CNRS, Inria, Grenoble INP, LIG & MPI-SWS), Alan Mislove (Northeastern University)

Read More

IoTGuard: Dynamic Enforcement of Security and Safety Policy in...

Z. Berkay Celik (Penn State University), Gang Tan (Penn State University), Patrick McDaniel (Penn State University)

Read More

DIAT: Data Integrity Attestation for Resilient Collaboration of Autonomous...

Tigist Abera (Technische Universität Darmstadt), Raad Bahmani (Technische Universität Darmstadt), Ferdinand Brasser (Technische Universität Darmstadt), Ahmad Ibrahim (Technische Universität Darmstadt), Ahmad-Reza Sadeghi (Technische Universität Darmstadt), Matthias Schunter (Intel Labs)

Read More

Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks

Michael Rodler (University of Duisburg-Essen), Wenting Li (NEC Laboratories, Germany), Ghassan O. Karame (NEC Laboratories, Germany), Lucas Davi (University of Duisburg-Essen)

Read More