Modern software projects rely on the use of third party libraries. These libraries are often delivered AS IS without guarantees that the code is invulnerable and represents a hard-to-mitigate attack vector into software. Tenet3, LLC will address this problem with an innovative machine learning-based approach for vulnerability detection in third party libraries explicitly or implicitly (copied) into code. The solution is based on Graph Neural Network (GNN) technology able to consider low level code actions, system calls, and code data and control flows when determining if code has a vulnerability. The GNN will associate code with broad vulnerability types, and via an interface based on MITRE Common Weakness Enumerations (CWEs), identify corresponding vulnerability entries in a database (NVD or CVE). The solution incorporates fast lookup of declared vulnerable library use and fast project code inspection to discover code likely copied from a vulnerable library. The solution can be applied to any language with a Low Level Virtual Machine (LLVM) front-end and runs fast enough for use in modern DevSecOps CI/CD pipelines.
Benefit: The solution has commercial opportunities as a self-hosted and managed solution for sensitive software vulnerability assessment. The solution may also be commercialized into a subscription, or a pay-as-you-use SaaS offering on Tenet3's AWS cloud stacks. The SaaS solution is integrable with our current cloud stack supporting system security engineering for weapon systems and trustworthy and assured microelectronics. We envision this SaaS approach the most scalable and supportable for multiple Navy uses as well as Defense Industrial Base members supporting Navy projects.
Keywords: Artificial Intelligence, Artificial Intelligence, Machine Learning, legacy code, DevSecOps, Third Party Libraries, code inspection, Software Vulnerability Databases, Code Vulnerability Detection
