Automated Detection and Analysis of Insecure Component Usage

Software is commonly built from reusable components that provide desired functionalities. Although component reuse significantly improves software productivity, insecure component usage can lead to security vulnerabilities in client applications. For example, we noticed that widely-used IE-based browsers, such as IE Tab, do not enable important security features that IE enables by default, even though they all use the same browser components. This insecure usage renders these IE-based browsers vulnerable to the attacks blocked by IE. To our knowledge, this important security aspect of component reuse has largely been unexplored. This paper presents the first practical framework for detecting and analyzing vulnerabilities of insecure component usage. Its goal is to enforce and support secure component reuse. Our core approach is based on differential testing and works as follows. Suppose that component C maintains a security policy configuration to block certain malicious behavior. If two clients of component C, say a reference and a test subject, handle the malicious behavior inconsistently, the test subject uses C insecurely. In particular, we model component usage related to a policy based on 1) accesses to the configuration state inside the component and 2) the conditional jumps affected by the data read from the state. We utilize this model to detect inconsistent policy evaluations, which can lead to insecure component usage. We have implemented our technique for Windows applications and used it to detect and analyze insecure usage of popular software components. Our evaluation results show that 1) insecure component usage is a general concern and frequently occurs in widelyused software, and 2) our detection framework is practical and effective at detecting and analyzing insecure component usage. In particular, it detected several serious, new vulnerabilities and helped perform detailed analysis of insecure component usage. We have reported these to the affected software vendors, some of whom have already acknowledged our findings.