OSSPatcher: Automated mobile application patching for bugs in open source libraries

Researchers from the Georgia Tech and Peking University are working on OSSPatcher, a system for automatic patching of vulnerable open source libraries included in mobile applications.

Fulfilling a need

Most software developers use well-adapted third-party open source libraries/software to accelerate the application development process. Security bugs in these libraries are popping up regularly and are getting fixed quickly, but many mobile application developers fail to keep track of disclosed bugs and to implement the fixes without delay.

OSSPatcher is aimed at making their lives easier and making their applications more secure for users.

About OSSPatcher

OSSPatcher currently focuses on patching bugs in vulnerable C libraries.

Unlike similar solutions such as PatchDroid, which relies on the availability of a compiled patch, OSSPatcher uses source patches provided by the OSS maintainers.

“OSSPatcher assumes that sources of apps are not publicly available, and that developers compile OSS directly from their release versions without tampering with OSS source code. [It] also assumes that information from NVD, such as the specified vulnerable versions and the corresponding patching commits are accurate,” the researchers explain.

The system first collects the needed material (OSS patch commits, vulnerable OSS versions, Android apps with vulnerable OSS versions) then analyzes source patches for their feasibility and converts vulnerable functions that can be patched into a variability-aware abstract syntax tree (VAST) to enable further analysis.

The “Matcher” component performs source-to-binary comparison to identify function addresses, configuration options, and variable addresses and, finally, the “Patcher” component generates patched libraries and performs in-memory patch injection.

How well does it work?

The researchers tested the OSSPatcher prototype with 39 open source libraries and 1,000 Android vulnerable apps. It created 675 feasible patches (out of a total of 1,140) that fixed the affected mobile applications without breaking their binary code and incurring significant memory and performance overhead.

They also evaluated 10 vulnerabilities in popular apps such as Android Chrome with public exploits and OSSPatcher was able to mitigate them.

The system currently has several limitations but shows promise. The researcher found that it currently works best for open source software with a large number of CVEs, patches, vulnerable versions, and a stable code base (e.g., FFmpeg, OpenSSL).

They also noted that it can be adapted to perform hot-patching at runtime, to patch vulnerabilities in userspace programs of any Linux- based system, and to help app developers to push their security patches quickly to users.