Sub­pro­ject T5 (sin­ce Oc­to­ber 1, 2024)

Reliable and automated code-based analysis of Open-Source Dependencies (Reaktor)

This transfer project builds on top of research from the collaborative research center 901 “On-The-Fly Computing”. In this transfer project, we explore how techniques from the quality assurance of services in on-the-fly service markets can be applied to the pressing problem of securely managing open-source dependencies in large software development ecosystems in a reliable and automated fashion.

Particularly, the project aims to research, develop, and assess novel techniques to enable a detection and mitigation of known-to-be-vulnerable third-party dependencies within software compositions which can reliably be applied on large-scale applications in a fully automated way. To this end, the project seeks to build on top of the results of the CRC’s transfer project Automated risk analysis with respect to open-source dependencies (Hektor). It will extend the Hektor tool chain and add means to enable an application to large scale software systems that current approaches are not able to analyze. The project seeks to extend the developed techniques and validate their efficacy in a real-world setting at the partner company SAP SE.

The tool REAKTOR will provide a means to reliably track the evolution of vulnerability fixes and will transform them into their bytecode representation to enable a reliable matching against open-source dependencies that applications under development include in binary form. Furthermore, targeted micro-execution of relevant code parts will address unexplored dynamic programming features, closing gaps in the reachability analysis of HEKTOR. This will be evaluated using a benchmark generator creating challenging test cases with a complete ground truth. In combination with the HEKTOR tool, REAKTOR will be able to reliably and fully automatically identify vulnerabilities, assess their potential impact and minimize the attack surface in large scale applications, even when the vulnerable code and surrounding dependency have been modified.

In collaboration with SAP, a world-leader for the development and provision of cloud services for business-to-business, we aim to implement and evaluate REAKTOR such that it is ready to be applied on a large scale, and to a large and diverse set of real-world software development projects.