Detecting and Analyzing Insecure Component Integration

Component technologies have been widely adopted for designing and engineering software applications and systems, which dynamically integrate software components to achieve desired functionalities. Engineering software in a component-based style has significant benefits, such as improved programmer productivity and software reliability. To support component integration, operating systems allow an application to dynamically load and use a component. Although developers have frequently utilized such a system-level mechanism, programming errors can lead to insecure component integration and serious security vulnerabilities. The security and reliability impact of component integration has not yet been much explored. This dissertation systematically investigates security issues in dynamic component integration and their impact on software security. On the conceptual level, we formulate two types of insecure component integration—unsafe component loading and insecure component usage—and present practical, scalable techniques to detect and analyze them. Our techniques operate directly on software binaries and do not require source code. On the practical level, we have used them to discover new vulnerabilities in popular, real-world software, and show that insecure component integration is prevalent and can be exploited by attackers to subvert important software and systems. Our research has had substantial practical impact and helped to mitigate unsafe component loadings on Microsoft Windows applications. Detecting and Analyzing Insecure Component Integration