Your browser doesn't support javascript. This means that the content or functionality of our website will be limited or unavailable. If you need more information about Vinnova, please contact us.

AI- and Risk-based Vulnerability Management for Trustworthy Open Source Adoption (ARVOS)

Reference number
Coordinator Elastisys AB
Funding from Vinnova SEK 2 948 934
Project duration May 2021 - November 2022
Status Ongoing
Venture Advanced digitalization - Enabling technologies
Call Cybersecurity for advanced industrial digitalisation

Important results from the project

Current vulnerability scanning tools perform static code analysis and produce a lot of false alerts. This leads to a “crying wolf” phenomenon, where even exploitable vulnerabilities get ignored. For example, a vulnerability might not be exploitable, because the application does not use a given function offered by a library. The goal of ARVOS was to make vulnerabilities more relevant through run-time detection. In essence, a vulnerability should only be reported as a threat, if the application actually makes use of vulnerable functionality.

Expected long term effects

We performed two user interviews with ARVOS. In essence, Java application developers got to use ARVOS themselves to fix an application vulnerability, with some help from the ARVOS team. The interviews validated that: (1) ARVOS is easy-to-use given its integration with GitHub and GitLab; (2) ARVOS is easy-to-understand, developers could immediately fix vulnerabilities in the application; (3) ARVOS performance overhead is acceptable. Based on the very promising results, we expect the cybersecurity landscape to move from static code analysis to runtime vulnerability scanning.

Approach and implementation

ARVOS consists of two main parts. First, the Debricked engine consumes git commits and produces an augmented CVE database, which specifies the vulnerable function. If this vulnerable function is not called, then the CVE is determined to be unexploitable. Second, the Elastisys ARVOS CI engine uses a technology called eBPF to monitor if the application makes use of any vulnerable function. We integrated ARVOS with both GitHub Actions and GitLab CI, two popular Continuous Integration (CI) tools.

External links

The project description has been provided by the project members themselves and the text has not been looked at by our editors.

Last updated 2 September 2024

Reference number 2021-01687