Software frequently needs updates to keep it safe from cyberattacks.
But when vendors release patches for open-source software, they may not explicitly notify users if those updates contain important security patches, says Kun Sun, an associate professor in the Department of Information Sciences and Technology (IST) and associate director of the Center for Secure Information Systems.
They don’t share that information, because they may not want the users to know their software has security problems, which may damage their reputation, he says.
But if users delay the software update, it could lead to a cyberattack on the system. “Attackers can use the code changes from the patch or the difference between two versions and launch attacks on unpatched software or old software versions,” he says.
Sun and other Mason Engineering cybersecurity researchers are creating a tool that would identify security patches in updates for open-source software. This is especially important for the armed services.
“The military uses a lot of open-source software, and they want to know if there are certain security problems that they need to patch immediately,” he says.
“We are developing a machine-learning-based defense system and implementing a toolkit to automatically identify secret security patches on open source software,” he says. “We want to tell users which updates contain security patches that they need to fix immediately,” he says.
Sun and his colleagues are working on the research with a $699,844 award from the U.S. Army Research Lab.
The Mason research team is finishing the first year of the three-year project. Several major defense contractors are interested in the tool, Sun says.
Özlem Uzuner, IST chair, says, “the Mason cybersecurity team is at the forefront of their field, contributing both methods and practical applications that have wide applicability, for the military and beyond.”