Software Composition Analysis Framework for Embedded Systems

Open-source libraries save developers time and effort by providing them access to pre-written functions, objects, and methods. The adoption of such libraries follows the current trend of more widespread use of open-source software and components. However, like proprietary software, open-source software suffers from bugs that can be exploited by attackers. Many of these vulnerabilities have been identified and documented and are stored in Common Vulnerabilities and Exposures (CVE) databases maintained by entities such as the National Institute of Standards and Technology (NIST). The risk posed by using open-source components in an application with known vulnerabilities is classified by the Open Web Application Security Project® (OWASP) as among the top 10 most critical security issues that need to be addressed. However, detecting, quantifying, and mitigating the risk posed by vulnerable components is a difficult and time-consuming process prone to error. When it comes to embedded systems, this process becomes only more difficult as many embedded devices operate isolated from the Internet and therefore can only be updated manually. This thesis puts forward a C language software composition analysis framework for embedded systems that examines its dependencies for known vulnerabilities accounting for both vulnerable direct dependencies and transitive dependencies. The framework also conducts a basic risk calculation to help both developers and operators of the hardware make security decisions using vulnerability metrics.