IEEE Access (Jan 2024)
Research and Implementation of Open Source Component Library Detection for Binary Programs
Abstract
Open source component libraries are widely used in software development. However, vulnerabilities of these components can threaten software security as they spread. Therefore, the industry commonly uses Software Composition Analysis (SCA) technology to detect the security of open source components in software. However, due to the low effectiveness of feature selection and the difficulty of precise feature extraction from open source component libraries, the accuracy of component analysis is not high. In this paper, we propose a feature extraction method for open source component libraries of binary programs based on fingerprint analysis. The fingerprint library is constructed based on 30,000 open source projects on the GitHub platform. It is proposed to use exported function fingerprint analysis, binary compilation fingerprint analysis, source code strings, etc. to extract the component library. With the fingerprint, we achieved precise positioning of the open source component library of binary programs, and developed the prototype tool Csrcc Sca, which achieved remarkable results by testing and evaluating 164 firmware packages related to intelligent connected vehicle. In terms of component version identification of component software packages, an accuracy rate of up to 96.81% was achieved; in terms of component layout identification of firmware packages, the accuracy rate also reached 83.33%.
Keywords