Automated risk analysis with respect to open-source dependencies (Hektor)
This transfer project builds on top of research from the collaborative research center 901 “On-The-Fly Computing”. It researches how techniques from the quality assurance of services in On-The-Fly service markets can be applied to the pressing problem of securely managing open-source dependencies in large software development ecosystems.
Particularly, the project aims to research, develop and assess novel techniques to efficiently and precisely detect and mitigate the inclusion of known-to-be-vulnerable third-party dependencies within software compositions. The project seeks to build an open-source toolchain called HEKTOR, which will support the secure development of applications and services. To this end, the project directly builds on top of recent developments in the CRC’s subproject B4, which is co-headed by the PI Prof. Bodden. These developments, in principle, should allow for the precise and efficient analysis of software artifacts on a massive scale. The project seeks to extend the developed techniques and validate their efficacy in a real-world setting at the partner company SAP SE.
The tool HEKTOR will enable developers to assess the risk associated with the use of third-party dependencies. Using newly discovered techniques for effective fingerprinting, HEKTOR will be able to reliably identify vulnerabilities even in situations in which the code in question has been repackaged or recompiled from source code—a challenge frequently encountered in practice. Moreover, through countermeasures such as automated library minimization, HEKTOR will allow developers to minimize their applications’ attack surface, effectively safeguarding their execution even against certain kinds of yet unknown vulnerabilities.
In collaboration with SAP, a world-leader for the development and provision of cloud services for business-to-business, we aim to implement and evaluate HEKTOR such that it is ready to be applied on a large scale and to a large and diverse set of real-world software development projects.