Towards Efficient C/C++ Vulnerability Impact Assessment in Package Management Systems
摘要
In the software supply chain, vulnerability impacts extend beyond the initially reported package, affecting dependent packages within the ecosystem. This presents a challenge for maintainers to determine if their systems are vulnerable when invoking the affected packages through indirect or nested dependencies. To address this challenge, we propose PackShield to efficiently assess the impact of vulnerabilities within package management systems. PackShield integrates code-based detection and testcase-based verification to accurately confirm if a package is affected by the vulnerability. Specifically, it extracts vulnerability and patch code from vulnerability reports and locates this code within target packages. If the vulnerability exists without an applied patch, it further generates a Proof-of-Concept via directed fuzzing to verify its presence. The directed fuzzing is performed on a sliced harness containing the critical path to trigger the vulnerability rather than the whole application. We evaluate PackShield on two popular package management systems (i.e., Ubuntu’s APT system and Fedora’s DNF system) with a dataset of 3,321 vulnerability reports. We identified 345 security issues in 6 Ubuntu versions and 40 security issues in 4 Fedora versions, especially pointing out the security issues in old OS versions. We also show that PackShield outperforms other tools (i.e., Dependency-Check and V1SCAN).