Supply chain vulnerability (SCV) exists in third-party components (operating systems, basic libraries, etc.). These vulnerabilities do not exist in code written by ordinary developers, who unknowingly introduce them due to the use of third-party components, resulting in the software they developed being affected by these vulnerabilities. Compared with traditional devices, IoT devices have various architectures, and the security issues introduced by code reuse are prominent. This paper proposes PhG-vNet, an effective and efficient SCV detection approach for IoT devices based on heterogeneous-graph-driven hash similarity. PhG-vNet uses customized graph embedding to feature the pseudo-code and uses the heterogeneous graph neural network to extract the graph structure to binary hash embeddings. Then, PhG-vNet detects SCVs based on self-designed bit similarity with Bayesian weighted. Experiments show that PhG-vNet does not need expensive hardware requirements and has impressive low overhead and acceptable detection performance.
Read full abstract