Heejo Lee – Seunghoon Woo Research Team
Presenting at USENIX Security 2023
A research team led by Professor Heejo Lee and Professor Seunghoon Lee of the Department of Computer Science at Korea University presented V1SCAN, a software vulnerability detection technology, at USENIX Security 2023, the world’s most prestigious security conference, in Anaheim, California, on August 11.
USENIX Security is one of the world’s top three computer security conferences, along with IEEE S&P and ACM CCS.
The frequency of open source software reuse is increasing for digital transformation and innovative service development, but reusing vulnerable open source software can cause security issues. To help build a secure software ecosystem, V1SCAN, an open source one-day vulnerability detection technology, is announced. A one-day vulnerability is a state in which a patch for a software vulnerability has been developed but not applied, or a state in which the code has been modified during the reuse process and the known patch cannot be applied as is.
By improving and integrating version-based and code-based techniques utilized in traditional vulnerability detection, V1SCAN can detect vulnerable code propagated by open source software reuse with higher accuracy (96% of precision rate and 91% of recall rate).
V1SCAN is differentiated from traditional version-based vulnerability detection not only by its higher accuracy, but also by its ability to filter whether a detected vulnerability will actually cause an issue or not. Previous technology-based vulnerability detection results in 77% false positives, making it time-consuming and expensive to determine if a vulnerability will actually cause an issue. However, with less than 4% false positives and a 1.5 times higher vulnerability detection rate than traditional technology, V1SCAN successfully detected over 130 security vulnerabilities from the top 10 C/C++ software on GitHub and shared the exploitable vulnerabilities that were highly dangerous with the open source community to prove their practicality.
V1SCAN can also help with SBOM management. The Vulnerability Exploitability eXchange (VEX) in the Software Bills of Materials (SBOM) provides response guidance based on vulnerability threat level, and V1SCAN’s filtering capabilities can help prioritize which vulnerabilities to patch first.
“In order to prevent security threats by vulnerabilities, it is necessary to analyze software from a multifaceted perspective,” said Seunghoon Lee, professor of Computer Science at Korea University. “V1SCAN, which combines version-based and code-based vulnerability detection technologies to detect one-day vulnerabilities, means that security threats can be detected to high accuracy and preemptively responded in an early stage.”
The research team of Professors, Heejo Lee and Seunghoon Lee, operates innovative technologies presented at top conferences such as MOVERY, a software vulnerability detection technology in 2022, and CENTRIS, an open source software component detector in 2021, as public services. The automatic vulnerability analysis platform service ‘iotcube.net’ launched in 2016 allows users to experience the research achievements related to automatic vulnerability analysis by dragging and dropping, and Labrador Labs’ Labrador solution exists separately for enterprise environments.
The research was supported by MIST(the Ministry of Science and ICT) and IITP(Institute for Information & Communication Technology Planning & Evaluation).
Original ariticle : http://www.koit.co.kr/news/articleView.html?idxno=117106