The Binary Analysis Tool can help to discover what components were used to create compiled code. It uses the same type of approach that gpl-violations.org applies to discover license issues in consumer electronics. This is called 'compliance engineering' and has been documented in the GPL compliance engineering guide released by Loohuis Consulting.

The Binary Analysis Tool can be used by

• People who want to check for potential legal issues
• People who want to manage their supply chain more effectively
• Or even adapted for use by people who want to check for security issues

What the tool can do

Technically speaking, the Binary Analysis Tool tries to detect if object code (or parts of it) resulted from the compilation of specified source code (or parts of it). At the moment the tool supports:

• Automated extraction of the version and configuration of BusyBox
• Extraction of file systems
• Automated checking for the Linux kernel
• Brute force scanning of firmware
• Feeding known information through a knowledgebase

How the tool works

The Binary Analysis Tool attempts to read binary code in firmware formats and compare it with source code. This can compliment or replace manual analysis techniques traditionally used to audit code.

The tool can

• Look into code compiled for multiple architectures
• Detect programs contained in that code
• Detect fragments of programs integrated into that code

It uses symbol table comparisons and string table comparisons for its analysis, and does not undertake any reverse engineering. While table comparisons are not a particularly sophisticated forensic technique, they have proven extremely effective in discovering real-world issues.

One advanced feature of the tool is users can build a customized knowledgebase. This can contain information about products and/or code like upstream suppliers, chip-sets, offsets, file systems and application strings. The tool can reads the knowledgebase, open compiled code, and checks if the specified data is included.

Limitations of the Tool

Naturally the tool does not replace a dedicated compliance engineer and it requires some degree of integration into existing workflows to be useful. However, it has the potential to reduce costs and increase productivity around due diligence related to FOSS.

There are two key technical limitations to the Binary Analysis Tool:

1. It does not scan binary code at the instruction-level. The utility of this is questionable given the number of source code variants, compilers, and compilation options that exist. There can be billions of binary code variants for one application.
2. It does not scan firmware with encryption or DRM protection. This may be legally questionable in some countries. Even if permitted it would be prohibitively resource intensive without access to encryption keys.

You can learn more about what the tool does by reading the documentation.

 

• home
• about
• people
• showcase
• download
• contribute
• documentation
• faq
• contact

• Project

  • About
  • People
  • Download
  • Contribute
  • Documentation
  • Showcase

• Sitemap

  • Contact
  • Privacy policy
  • FAQ

• License

  • Unless otherwize specified, all content on this site is
  • 
  • Creative Commons Attribution-No Derivative Works 3.0 Unported License.

• Creators

  • Loohuis Consulting
  • OpenDawn

• Sponsors

  • 
  •