Software Composition Analysis Framework for Embedded Systems
Digital Document
Handle |
Handle
http://hdl.handle.net/11134/20002:860695789
|
||||||
---|---|---|---|---|---|---|---|
Persons |
Persons
Creator (cre): Chan, Nicholas
Major Advisor (mja): Chandy, John
Associate Advisor (asa): Michel, Laurent
Associate Advisor (asa): Fuller, Benjamin
|
||||||
Title |
Title
Title Non-Sort
A
Title
Software Composition Analysis Framework for Embedded Systems
|
||||||
Origin Information |
Origin Information
|
||||||
Parent Item |
Parent Item
|
||||||
Resource Type |
Resource Type
|
||||||
Digital Origin |
Digital Origin
born digital
|
||||||
Description |
Description
Open-source libraries save developers time and effort by providing them access to pre-written functions, objects, and methods. The adoption of such libraries follows the current trend of more widespread use of open-source software and components. However, like proprietary software, open-source software suffers from bugs that can be exploited by attackers. Many of these vulnerabilities have been identified and documented and are stored in Common Vulnerabilities and Exposures (CVE) databases maintained by entities such as the National Institute of Standards and Technology (NIST). The risk posed by using open-source components in an application with known vulnerabilities is classified by the Open Web Application Security Project® (OWASP) as among the top 10 most critical security issues that need to be addressed. However, detecting, quantifying, and mitigating the risk posed by vulnerable components is a difficult and time-consuming process prone to error. When it comes to embedded systems, this process becomes only more difficult as many embedded devices operate isolated from the Internet and therefore can only be updated manually. This thesis puts forward a C language software composition analysis framework for embedded systems that examines its dependencies for known vulnerabilities accounting for both vulnerable direct dependencies and transitive dependencies. The framework also conducts a basic risk calculation to help both developers and operators of the hardware make security decisions using vulnerability metrics.
|
||||||
Genre |
Genre
|
||||||
Organizations |
Organizations
Degree granting institution (dgg): University of Connecticut
|
||||||
Held By | |||||||
Rights Statement |
Rights Statement
|
||||||
Degree Name |
Degree Name
Master of Science
|
||||||
Degree Level |
Degree Level
Master
|
||||||
Degree Discipline |
Degree Discipline
Computer Science and Engineering
|
||||||
Local Identifier |
Local Identifier
S_24115308
|