UPB Bildmarke
Second brand logo
Contact
  • Deutsch
  • English
  • Mission statement
  • Organisational structure
  • research infrastruture
    • Open Page "Priority projects"
    • ERC CultCryo
    • ERC SOSA
    • SPP2443
    • SAIL
    • SPP2111
  • Strategic co-operations
  • Industrial co-operations
  • Third-party funded research
    • Open Page "Service"
    • Booking rooms in building F
    • Use of the information pillar
      • Open Page "Network and Systems Administration"
        • Open Page "FAQ"
        • Problems accessing Windows resources
        • Windows
        • UNIX
        • VPN
        • e-mail
        • Firefox
        • General
      • Login
      • Print
      • Team
      • Services
    • Downloads
    • Open Page "Workgroup | Advanced Systems Engineering"
      • Open Page "Offers for companies"
        • Open Page "Consulting"
        • Ideation
        • Foresight with the scenario technique
        • Business strategy development
        • Strategic product planning
        • Business model development
        • Strategic value creation planning
        • Entering the circular economy
      • Consortium
      • Workshops and trainings
      • Participation in student teaching
      • References
      • Open Page "Research"
      • Systems Engineering
    • Projects
      • Open Page "Teaching"
      • Final Theses
        • Open Page "Lectures"
        • Systems Engineering
        • Data-driven engineering
        • Data-driven innovation
        • Model-based Systems Engineering
        • Open Page "Project groups"
        • Artificial Intelligence for Systems Engineering (AI4SE)
        • Data-driven Engineering (DDE)
        • Virtual Technologies in Engineering (VirtEng)
        • Artificial Intelligence 4 Systems Engineering [SS 2020]
        • Digital Tools for Strategic Planning (DOORSTEP)
        • Automated identification of AI companies
        • Development of an autonomous and modular electric Racecar
      • Innovation workshop
        • Open Page "Proseminars and seminars"
        • Applied Model-Based Systems Engineering
    • Team
    • Publications
      • Open Page "Career"
      • Become part of the team
      • Job va­can­cies
    • Open Page "Workgroup | Behavioral Economic Engineering and Responsible Management"
    • Research
    • Projects
      • Open Page "Teaching"
      • Bachelor's and Master's theses
    • Team
    • Publications
    • Open Page "Data Science"
      • Open Page "Forschung"
      • NLP und Datenzugang
      • Maschinelles Lernen
      • Datenspeicherung und Abfrage
      • Datenintegration
      • Datenanalyse
        • Open Page "Demos"
        • TeBaQA
        • QaldGen
        • SOLIDE Demo Video
        • ReCoDa
        • Palmetto Demo
        • LIMES
        • LauNuts
        • HOBBIT Platform
        • OPAL Demo
        • GERBIL (KE,QA,KBC)
        • IDA
        • GENESIS
        • COVID19DS
        • COPAAL
    • Projekte
      • Open Page "Lehre"
      • Vorlesung MA - Statistische Verarbeitung natürlicher Sprache
      • Vorlesung BA - Programmierung
      • Vorlesung BA - Semantic Web
      • Vorlesung MA - Grundlagen von Wissensgraphen
      • Projektgruppe MA - rdf4cpp
      • Projektgruppe MA - KBQA
      • Projektgruppe MA - Wissensgraphenbasierter Ansatz zur Erzeugung natürlicher Sprache (KG2NL)
      • Projektgruppe MA - Ensemble-Learning zur Faktenvalidierung (FaVEL)
      • Projektgruppe MA - Erklärbare KI II (XAI II)
      • Projektgruppe MA - Argumentation auf Wissensgraphen
      • Projektgruppe MA - Dynamische Wissensgrapheneinbettung für erklärbare künstliche Intelligenz
      • Projektgruppe MA - Veranschaulichung und Verbalisierung von Klassenausdrücken
      • Projektgruppe MA - Näherungsweise Schlussfolgerungen in der Beschreibungslogik
      • Projektgruppe MA - Eine Erweiterung der GERBIL-Benchmarking-Plattform
      • Projektgruppe MA - Auf dem Weg zu einer intelligenteren Client-Server-Architektur für die Verarbeitung von SPARQL-Anfragen
      • Seminar MA - Neueste Fortschritte bei Wissensgraphen
      • Seminar MA - Erklärbares maschinelles Lernen
        • Open Page "Bachelor- und Masterarbeiten"
        • MA - SameAs Retrieval Service
        • MA - Leveraging Large Language Models for KG Construction and Reasoning
        • MA - Guided Class Expression Learning
        • MA - Multi-view learning for Entity Typing in Knowledge Graphs
        • MA - An Embedding Space for path-based Fact Checking
        • MA - Tentris Cluster - A Distributing Tensor-Based Triple
        • MA - Cross-Lingual Transfer Learning for Named Entity Recognition in Low-Resource Languages
        • MA - Robustness Evaluation of KG-augmented LLMs under Adversarial Attacks
        • BA - SameAs Retrieval Service
        • BA - Prompt Engineered LLMs for Neural Link Prediction
        • BA - Simplifying OWL Class Expressions
        • BA - LLM in C over Knowledge Graphs
        • BA - Robust Embeddings for Knowledge Graphs
        • BA - Integration and Lifting of Question Answering Datasets
        • BA - Neural Triple Stores
        • BA - Implementing a Mobile Triples Store / Porting Tentris to Android/iOS
        • BA - Quiz game with explainable results
        • BA - Dynamic Label Relaxation
        • BA - Benchmarking Linked Data processing systems
        • BA - Benchmarking Class Expression Learning
    • Team
    • Publikationen
    • Open Page "Workgroup | Communications engineering"
    • Research
    • Projects
      • Open Page "Teaching"
      • Bachelor- und Masterarbeiten
      • Amateur radio
      • Project work
        • Open Page "Final theses"
        • Voice
        • BlindSource
        • BAMA AkustischesSensornetzwerk
        • Open Page "Communications engineering research seminar"
          • Open Page "Research project"
            • Open Page "Publikationen"
            • Spectral Denoising
            • Open Page "Localization & Tracking"
            • Bluetooth Low Energy
          • Acoustic Sensor Networks (2)
          • Automatic Meeting Transcription
          • Tiefe generative Modelle für die Phonetikforschung
          • Sound Recognition
            • Open Page "Acoustic sensor networks"
            • Unsupervised Acoustic Event Detection and Scene Classification over Sensor Networks
            • Scalable Audio Features for Clustering and Classification with Privacy Constraints
            • Acoustic Signal Extraction and Enhancement
            • Time-Synchronization for Coherent Digital Signal Processing in Wireless Acoustic Sensor Networks
            • Distributed Acoustic Signal Processing over Wireless Sensor Networks
        • Project groups
        • Open topics for theses
      • Digital speech signal processing
      • Statistische und maschinelle Lernverfahren
      • Discrete-time signal processing
      • Wireless Communications
      • Project applied programming
      • Processing of statistical signals
      • Optimal and adaptive filters
      • Topics in Pattern Recognition and Machine Learning
      • Communications Engineering, Signal and Information Transmission
    • Team
    • Publications
    • Open Page "Product Creation"
    • Doctorate in the Product Creation work group
      • Open Page "Research"
      • Strategic planning and innovation management
      • Systems engineering and development management
      • Realisation and production management
      • Digital and Virtual Product Creation (DVPE)
      • Smart Automation Laboratory
      • Smart Innovation Laboratory
    • Projects
      • Open Page "Teaching"
      • Bachelor's and Master's theses
      • MA - Applied Production Engineering
      • MA - Wing case study
      • MA - Digital Factory Project Lab
      • MA - Virtual and automated product creation
      • MA - Digital tools for collaborative product development
      • MA - Product Creation 1 & 2
      • MA - Systems Enginerring
      • BA - Project Seminar Innovation and Development Management
      • BA - Development Methodology
      • BA - Industrial Production
    • Team
    • Publications
    • Open Page "Workgroup | Control engineering and mechatronics"
      • Open Page "Research"
      • Mechatronics design engineering
      • Driver assistance systems
      • Draft regulation
      • HiL-Simulation
    • Projects
      • Open Page "Teaching"
      • Bachelor's/Master's theses
    • Team
    • Publikationen
    • Open Page "Workgroup | System and Circuit Technology"
      • Open Page "Research"
      • Elec­tro­nic-Pho­to­nic Metrology
      • Broadband/Quantum Electronic-Photonic Circuits
      • Group mm-Wave/THz Electronic-Photonic ICs
      • Digital & Mixed Signal Designs
    • Projects
      • Open Page "Teaching"
      • Circuit and system design
      • Circuit technology
      • Fast integrated circuits for wired communication
      • Basics of the VLSI design
      • Integrated circuits for wireless communication
      • Advanced VLSI design
      • Ethics for engineers
      • Project groups
      • Applied programming
      • Nanoelectronics project
      • Radio Frequency IC Design
      • Mixed signal design
      • Silizium-Photonik
      • Topics in System Engineering
      • Seminar Microelectronics
      • Seminar High-frequency IC design
      • Bachelor's/Master's theses
    • Team
    • Publications
    • Open Page "Workgroup | Secure Software Engineering"
    • Research
    • Projects
      • Open Page "Teaching"
        • Open Page "SS Softwaretechnikpraktikum"
        • SS 25 SWTPRA
      • User Study: Enhancing Secure Coding Practices
      • User Study: Automating Android privacy assessments
      • PG-SecAI
      • SootUp Hackathon
      • Bachelor's/Master's theses
      • SS Secure Software Engineering
        • Open Page "SS Master lecture: Designing code analyses for large-scale software systems (DECA 2)"
        • SS Schedule
      • SS Seminar Secure Systems Engineering
      • Research seminar Secure Software Engineering
      • WS Master lecture: Designing code analyses for large-scale software systems (DECA 1)
      • WS 2023/24 Seminar Secure Systems Engineering
      • C++ Programming
      • Preview
      • Project groups from previous semesters
    • Team
    • Publications
  • Nachwuchsgruppe DART
  • HNI Forum
  • Symposium
  1. Paderborn University
  2. Heinz Nixdorf Institute
Back to the news list

Re­search pro­ject to pro­tect against vul­n­er­­­ab­il­it­ies in freely ac­­cess­ible soft­ware pro­­duces two tools

06.12.2024  |  Heinz Nixdorf Institute,  Secure Software Engineering / Heinz Nixdorf Institut

Share post on:

  • Share on Instagram
  • Teilen auf Twitter
  • Teilen auf Facebook
  • Teilen auf Xing
  • Teilen auf LinkedIn
  • Teilen über E-Mail
  • Link kopieren

Freely accessible computer programmes that users are allowed to download, modify and distribute - this is what so-called "open source software" is all about. Developers make use of this to obtain individual software modules for new applications from a database instead of developing them themselves from scratch. The problem is that vulnerabilities repeatedly occur in the freely accessible content, which increases the risk of malware. In order to minimise this risk, scientists from the Institute of Computer Science and the Heinz Nixdorf Institute at Paderborn University have joined forces with the software company SAP SE for a research project. Among other things, the experts have developed tools that can recognise and remove vulnerabilities even with previously insufficient information. The three-year project was funded by the German Research Foundation (DFG) with almost 500,000 euros.

Reducing the risk of malware

"Open source libraries are very widespread in modern software development. Although there are good reasons for this, public access also gives potential attackers insight into parts of the underlying code. This allows them to find vulnerabilities that they can exploit for cyber attacks," explains Jonas Klauke, research associate at the Paderborn "Secure Software Engineering" specialist group. The good news is that these vulnerabilities are also found by the open source community, reported and repaired in a new version of the library. Klauke explains: "To close the vulnerabilities in the applications, the library used must be updated to the repaired version. To do this, the developers need to be informed. This is done using tools that recognise libraries with vulnerabilities. The problem is that these tools are often inaccurate. That's why we have been researching an automated process that supports developers in fixing affected libraries." The aim is to close security gaps quickly and easily.

"UpCy" is already freely available

The declared aim of the project was to develop tools that can recognise vulnerabilities in open source applications even with insufficient information. This resulted in two tools, one of which is already publicly available. "The first is a scanner that makes it possible to detect libraries with vulnerabilities that are actively used in applications. As updating libraries involves some changes, the programme often has to be adapted to the new version. This effort can be reduced by focussing the update on the libraries with vulnerabilities that are in use," says Klauke. The second tool developed, called "UpCy", helps users to automatically update the affected libraries by finding new versions of libraries whose updates do not cause complications. While the scanner is still being worked on, users can already use "UpCy".

Finding vulnerabilities in open source software without the source code

There are already tools that recognise vulnerabilities in open source software, but only if the metadata or "source code" is available. "This is written in a human-readable programming language and is translated into machine code to make the application executable on the computer. However, the source code cannot always be precisely assigned to the respective version of the library. If the metadata is also missing, libraries with potential vulnerabilities are overlooked," says Klauke. With the help of the developed process chain, these libraries can now also be recognised if neither metadata nor a direct link to the original source code exists.

Further information can be found here.

This text was translated automatically.

Photo (Paderborn University): Experts have developed tools that can recognise and remove vulnerabilities in open source applications.
Download (94 KB)

Contact

business-card image

Prof. Dr. Eric Bodden

Secure Software Engineering / Heinz Nixdorf Institut

Write email +49 5251 60-6563
More about the person
business-card image

Jonas Klauke

Secure Software Engineering / Heinz Nixdorf Institut

Write email +49 5251 60-6569
More about the person

Heinz Nixdorf Institute

Fürstenallee 11
33102 Paderborn
Germany

Phone:

+49 5251 60 6211

E-Mail:

kerstin.hille@hni.uni-paderborn.de
Legal notice
  • Imprint
Universität Paderborn

Warburger Str. 100
33098 Paderborn
Germany

Phone University

+49 5251 60-0
Legal notice
  • Imprint
  • Data privacy
  • Whistleblower system
Social networks