Georgia Tech Researchers Introduce OSSPolice to Find OSS Vulnerabilities and License Violations

With 2.6 million apps in the Google Play Store and counting, the drive to develop the next big app is more pressing than ever. To stay on top of the competition, many developers rely on open source software (OSS) for base elements. But accidentally using compromised OSS can lead to legal and security risks.

Enter OSSPolice, a tool for mobile app developers to easily and quickly identify OSS license violations and security vulnerabilities.

OSSPolice is the work of five Georgia Tech researchers in the School of Computer Science (SCS): Professor Wenke Lee, Assistant Professor Taesoo Kim, SCS Ph.D. students Ruian Duan, Ashish Bijlani, and Meng Xu.They presented their research in the paper Identifying Open-Source License Violation and 1-day Security Risk at Large Scale at the Association of Computer Machinery’s 2017 Conference on Computer and Communications Security (CCS17).

Up to 900 attendees and 200 organizations gathered in Dallas from Oct. 30 to Nov. 2, for the annual cybersecurity conference. Covering topics like comobsquatting (using intentionally misleading domain names to lure users onto malicious sites) and cyber attack tracking, Tech has the strongest showing with eight papers accepted at the highly competitive conference, which had 836 research papers submitted with an acceptance rate of just 18 percent.

Compromised OSS is a hot-button issue at CCS17. While OSS has sped up the rate at which apps can be developed, it has also expedited the rate for error. Common OSS software licenses like BSD or MIT are permissive, but Affero General Public License (AGPL) and General Public License (GPL) are less so, leading to potential copyright violations like the ones recently experienced by Cisco and VMWare. Devices not updated with the latest security patches are also a risk and present vulnerabilities that could exploit users’ data.

Although all of these risks are currently traceable , diligently ensuring licenses are current or OSS are updated with the latest security is a painstaking, error-prone process many developers don’t have the time or money for when trying to make the next big app.

OSSPolice takes much of the guesswork out of the process for developers. It is scalable, fully automated, and highly accurate. It detects software inconsistencies thanks to a new hierarchical indexing scheme that can compare software similarities in app binaries against a database with thousands of entries. If the OSS matches with one known to be compromised, it is reported so developers can adjust accordingly. It should be noted that OSSPolice only spots technical license violations and does not manage legal implications.

“OSSPolice is the first app store scale measurement to identify potential license violators and vulnerable apps,” said Ruian Duan, an SCS Ph.D. student on the project.

The researchers tested OSSPolice with 60,000 C/C++ and 77,000 Java OSS sources and analyzed 1.6 million free apps on the Google Play Store. This resulted in more than 40,000 apps possibly violating GPL and AGPL licensing, and more than 100,000 operating on potentially vulnerable OSS. Although the current version of the tool has only been applied to Android apps, it could be expanded to iOS, Windows, and Linux.

The research is already effecting change in the industry. The researchers have already heard from some OSS developers, such as Artifex Software Inc., who are interested in taking action against reported violators that OSSPolice has found, according to Duan. Developers who want to test the tool can find it on GitHub.

Core Research Areas: 
Contact: 

Tess Malone, Communications Officer

tess.malone@cc.gatech.edu