{"598310":{"#nid":"598310","#data":{"type":"news","title":"Georgia Tech Researchers Introduce OSSPolice to Find OSS Vulnerabilities and License Violations","body":[{"value":"\u003Cp\u003EWith 2.6 million apps in the Google Play Store and counting, the drive to develop the next big app is more pressing than ever. To stay on top of the competition, many developers rely on open source software (OSS) for base elements. But accidentally using compromised OSS can lead to legal and security risks.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EEnter OSSPolice, a tool for mobile app developers to easily and quickly identify OSS license violations and security vulnerabilities.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EOSSPolice is the work of five Georgia Tech researchers in the School of Computer Science (SCS): Professor \u003Ca href=\u0022https:\/\/www.cc.gatech.edu\/people\/wenke-lee\u0022\u003E\u003Cstrong\u003EWenke Lee,\u003C\/strong\u003E\u003C\/a\u003E Assistant Professor \u003Ca href=\u0022https:\/\/www.cc.gatech.edu\/people\/taesoo-kim\u0022\u003E\u003Cstrong\u003ETaesoo Kim\u003C\/strong\u003E\u003C\/a\u003E, SCS Ph.D. students \u003Ca href=\u0022https:\/\/www.cc.gatech.edu\/~rduan9\/\u0022\u003E\u003Cstrong\u003ERuian Duan\u003C\/strong\u003E\u003C\/a\u003E, \u003Cstrong\u003EAshish Bijlani\u003C\/strong\u003E, and \u003Ca href=\u0022https:\/\/www.cc.gatech.edu\/~mxu80\/\u0022\u003E\u003Cstrong\u003EMeng Xu\u003C\/strong\u003E\u003C\/a\u003E.They presented their research in the paper \u003Ca href=\u0022http:\/\/iisp.gatech.edu\/sites\/default\/files\/images\/identifying_open-source_license_violation_and_1-day_security_risk_at_large_scale.pdf\u0022\u003E\u003Cem\u003EIdentifying Open-Source License Violation and 1-day Security Risk at Large Scale\u003C\/em\u003E\u003C\/a\u003E at the \u003Ca href=\u0022https:\/\/ccs2017.sigsac.org\/index.html\u0022\u003EAssociation of Computer Machinery\u0026rsquo;s 2017 Conference on Computer and Communications Security\u003C\/a\u003E (CCS17).\u003C\/p\u003E\r\n\r\n\u003Cp\u003EUp to 900 attendees and 200 organizations gathered in Dallas from Oct. 30 to Nov. 2, for the annual cybersecurity conference. Covering topics like \u003Ca href=\u0022http:\/\/www.rh.gatech.edu\/news\/598036\/combosquatting-attack-hides-plain-sight-trick-computer-users\u0022\u003Ecomobsquatting\u003C\/a\u003E (using intentionally misleading domain names to lure users onto malicious sites) and \u003Ca href=\u0022http:\/\/www.rh.gatech.edu\/news\/598030\/instant-replay-computer-systems-shows-cyber-attack-details\u0022\u003Ecyber attack tracking\u003C\/a\u003E, Tech has the strongest showing with \u003Ca href=\u0022http:\/\/iisp.gatech.edu\/georgia-tech-acm-ccs-2017\u0022\u003Eeight papers\u003C\/a\u003E accepted at the highly competitive conference, which had 836 research papers submitted with an acceptance rate of just 18 percent.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ECompromised OSS is a hot-button issue at CCS17. While OSS has sped up the rate at which apps can be developed, it has also expedited the rate for error. Common OSS software licenses like BSD or MIT are permissive, but Affero General Public License (AGPL) and General Public License (GPL) are less so, leading to potential copyright violations like the ones recently experienced by Cisco and VMWare. Devices not updated with the latest security patches are also a risk and present vulnerabilities that could exploit users\u0026rsquo; data.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAlthough all of these risks are currently traceable , diligently ensuring licenses are current or OSS are updated with the latest security is a painstaking, error-prone process many developers don\u0026rsquo;t have the time or money for when trying to make the next big app.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EOSSPolice takes much of the guesswork out of the process for developers. It is scalable, fully automated, and highly accurate. It detects software inconsistencies thanks to a new hierarchical indexing scheme that can compare software similarities in app binaries against a database with thousands of entries. If the OSS matches with one known to be compromised, it is reported so developers can adjust accordingly. It should be noted that OSSPolice only spots technical license violations and does not manage legal implications.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;OSSPolice is the first app store scale measurement\u0026nbsp;to identify potential license violators and vulnerable apps,\u0026rdquo; said Ruian Duan, an SCS Ph.D. student on the project.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe researchers tested OSSPolice with 60,000 C\/C++ and 77,000 Java OSS sources and analyzed 1.6 million free apps on the Google Play Store. This resulted in more than 40,000 apps possibly violating GPL and AGPL licensing, and more than 100,000 operating on potentially vulnerable OSS. Although the current version of the tool has only been applied to Android apps, it could be expanded to iOS, Windows, and Linux.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe research is already effecting change in the industry. The researchers have already heard from some OSS developers, such as Artifex Software Inc., who are interested in taking action against reported violators that OSSPolice has found, according to Duan. Developers who want to test the tool can find it on \u003Ca href=\u0022https:\/\/github.com\/osssanitizer\/osspolice\u0022\u003EGitHub\u003C\/a\u003E.\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"OSSPolice allows developers to identify license violations and security risks on open source software."}],"uid":"34541","created_gmt":"2017-11-02 20:01:59","changed_gmt":"2017-11-03 12:48:52","author":"Tess Malone","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2017-11-02T00:00:00-04:00","iso_date":"2017-11-02T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"598330":{"id":"598330","type":"image","title":"OSSPolice","body":null,"created":"1509713299","gmt_created":"2017-11-03 12:48:19","changed":"1509713299","gmt_changed":"2017-11-03 12:48:19","alt":"Police car","file":{"fid":"228076","name":"police-2829495_1280-1.jpg","image_path":"\/sites\/default\/files\/images\/police-2829495_1280-1.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/police-2829495_1280-1.jpg","mime":"image\/jpeg","size":174581,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/police-2829495_1280-1.jpg?itok=ZcGy0Rf5"}}},"media_ids":["598330"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003ETess Malone, Communications Officer\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Ca href=\u0022mailto:tess.malone@cc.gatech.edu\u0022\u003Etess.malone@cc.gatech.edu\u003C\/a\u003E\u003C\/p\u003E\r\n","format":"limited_html"}],"email":["tess.malone@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}