M.S. Defense: Nicholas Chan

Title: A Software Composition Analysis Framework for Embedded Systems

Student: Nicholas Chan

Major Advisor: Dr. John Chandy

Associate Advisors: Dr. Benjamin Fuller and Dr. Laurent Michel

Date/Time: Tuesday, April 12, 2022, 1:00 PM

Location: WebEx

Meeting Link: https://uconn-cmr.webex.com/uconn-cmr/j.php?MTID=md000428777ba61b819d8255e306e7cee

Meeting Number: 2621 933 6283  

Meeting Password: WnFyw3AmC72

Join by phone: +1-415-655-0002 US Toll

Access code: 2621 933 6283

Abstract: Open-source libraries save developers time and effort by providing them access to pre-written functions, objects, and methods. The adoption of such libraries follows the current trend of more widespread use of open-source software and components. However, like proprietary software, open-source software suffers from bugs that can be exploited by attackers. Many of these vulnerabilities have been identified and documented and are stored in Common Vulnerabilities and Exposures (CVE) databases maintained by entities such as the National Institute of Standards and Technology (NIST). The risk posed by using open-source components in an application with known vulnerabilities is classified by Open Web Application Security Project® (OWASP) as among the top 10 most critical security issues that need to be addressed. However, detecting, quantifying, and mitigating the risk posed by vulnerable components is a difficult and time-consuming process prone to error. When it comes to embedded systems, this process becomes only more difficult as many embedded devices operate isolated from the internet and therefore can only be updated manually. This thesis puts forward a C language software composition analysis framework for embedded systems that examines its dependencies for known vulnerabilities accounting for both vulnerable direct dependencies and transitive dependencies. The framework also conducts a basic risk calculation to help both developers and operators of the hardware make security decisions using CVSS metrics.