Enhancing Security in Third-Party Library Reuse – Comprehensive Detection of 1-day Vulnerability through Code Patch Analysis
Shangzhi Xu
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Software Security: Applications & Policies
This talk presents **Vulture**, an innovative tool designed to enhance security in **third-party library (TPL) reuse** by comprehensively detecting **one-day vulnerabilities** through **code patch analysis**. Given the pervasive nature of code reuse in modern software development, understanding and mitigating the risks associated with vulnerable libraries is paramount. Many software projects rely heavily on open-source components, leading to a complex web of dependencies where a single vulnerability in an upstream library can propagate downstream, affecting numerous applications. Shangzhi Xu from UNSW highlights the significant challenges developers face in identifying and patching these vulnerabilities, particularly when dealing with large codebases, nested library dependencies, and custom modifications to reused components.
AI review
Vulture is competent, well-executed academic work on a real problem — 1-day vuln detection in reused TPLs with custom modifications. The chunk-based semantic patch analysis is a genuine contribution and the numbers against Sneak are credible. But this is NDSS-track research, not a practitioner conference drop: it's solid incremental progress in a crowded space, not a paradigm shift.