Supply Chain Reaction: Enhancing the Precision of Vulnerability Triage using Code Reachability Information

Software bill of materials (SBOMs) have become a crucial component of large-scale vulnerability triage. Existing SBOM approaches operate at the granularity of software packages or binary executables, providing a very coarse and context-agnostic view of a program's dependencies. In turn, if a third party component has a vulnerability, existing SBOM tools will report it for remediation irrespectively of whether a given dependent program is actually affected by that vulnerability or not. Although determining the exact conditions under which a vulnerability in a third-party component may affect a dependent program remains a challenging problem, a first robust approximation can be obtained by considering the reachability of the vulnerable code from the parent program. Based on this observation, the main goal of this work is to assess the improvement that code reachability information can offer in the precision of vulnerability triage for C/C++ programs. To that end, we developed VPChecker, a system that i) captures the dependencies of a program at the granularity of individual functions, and ii) localizes CVEs in shared libraries to the corresponding functions that contain the flaw. Using VPChecker, we conducted a large-scale vulnerability assessment of the Debian Linux ecosystem. The results of our cross-examination of over 24,000 C/C++ binaries (shipped by more than 6,600 Debian packages) with 510 CVEs in shared libraries, show that function-level reachability information reduces the number of ELF binaries reported as affected by a particular CVE by 28% on average, while reducing the number of CVEs reported as affecting a particular ELF binary by 30%.