Minimizing Software-Rooted Risk through Library Implementation Selection

Abstract

In contemporary Internet of Things (IoT) systems, complex software artifacts are deployed to realize the required functionalities. The business logic of these software artifacts is uniquely composed through code that is customly developed according to the requirements, while all software artifacts utilize libraries that implement generic functionalities, which are needed in the context of the realized operations. Libraries, however, often entail vulnerabilities, which may be exploited by threat agents to attack the system. In many cases, the functionality required by an application is realized by a number of alternative libraries, with each library having its own list of vulnerabilities, while differentiations in other non-functional properties (e.g. execution efficiency, memory footprint etc.) may also be present. In this paper, we present an approach for automating the task of minimizing the risk level of IoT systems that is owing to the vulnerabilities of libraries required by software artifacts. The proposed approach exploits knowledge on which libraries provide equivalent implementations of the same functionalities, and automatically assesses the risk level of candidate library combinations and finally selects the library configuration exhibiting the minimum risk level to bundle into the executable software artifact. Additionally, the risk level of candidate implementations is constantly monitored for new vulnerability identifications or fixes in the implementations, triggering new risk assessments and producing new executables as appropriate. The proposed approach can be used in IoT platform deployment to minimize the software-rooted risk level.