BIZ-COMMSEC: Copy-paste Vulnerabilities

PRESENTATION SLIDES (PDF)

In recent years, there has been a push towards using open-source and third party libraries as part of software development. There are thousands of new libraries released to sites such as npm, RubyGems and Maven Central every day which contributes to this growing phenomenon and allows developers to use package managers to keep track of them. However, alongside the convenience of having pieces of programs pre-written, it also opens up software to third party risk.

There have been a several notable security issues in the news recently due to third party risk. One of these was Heartbleed: an issue found in the OpenSSL cryptography library. Heartbleed affected millions of websites, purely because they were using the vulnerable library. One of the major ways in which applications are opening themselves up to third party risk is due to copy and paste programming. In this work, we study the impact of vulnerabilities that arise  solely due to copy-paste code. We call them copy-paste vulnerabilities.

There are three different ways that developers may introduce a copy-paste vulnerability into their application:

• Copying code of a complete library which may be in a single file or split over multiple files.
• Copying code snippets from a library and using them in another library or application.
• Porting a complete library or code snippet from one language to another.

Detecting copy-paste vulnerabilities is difficult due to the following challenges:

• The copied code may not always be in an application written in the same language.
• JavaScript developers often use a minifier (or uglifier) to reduce file size. This changes the original file as it removes whitespace and comments.
• In order to have only a single third party JavaScript dependency in the application, developers use concatenation to generate a large file that includes all dependencies. Thus, a file that is copy pasted may end up inside another large file.

In this talk, we will look at how we identified these copy-paste vulnerabilities and the impact on open-source community. We will also discuss mitigation strategies and release a proof-of-concept tool for detecting these issues.