Detecting and Analyzing Insecure Component Usage

Software is commonly built from reusable components that provide desired functionalities. Although component reuse significantly improves software productivity, insecure component usage can lead to security vulnerabilities in client applications. For example, we noticed that widely-used IE-based browsers, such as IE Tab, do not enable important security features that IE enables by default, even though they all use the same browser components. This insecure usage renders these IE-based browsers vulnerable to the attacks blocked by IE. To our knowledge, this important security aspect of component reuse has largely been unexplored. This paper presents the first practical framework for detecting and analyzing vulnerabilities of insecure component usage. Its goal is to enforce and support secure component reuse. Our core approach is based on differential testing and works as follows. Suppose that componen