New Approach to automatically detecting bugs and vulnerabilities in Linux
Australian researcher Silvio Cesare, PhD student at Deakin University has released a tool capable of automatically detecting bugs and vulnerabilities in embedded Linux libraries. Developers may “embed” or “clone” code from 3rd party projects. This can be either statically link against external library or maintaining an internal copy of a library’s source or fork a copy of a library’s source.
The Approach of this tools is that if a source package has the other package’s filenames as a subset, it is embedded, Packages that share files are related. A graph of relationships has related packages as cliques. Graph Theory is used to perform the analysis.
Linux vendors have previously used laborious manual techniques to find holes in libraries. Debian alone manually tracks some 420 embedded packages, Cesare said at Ruxcon 2011. Silvio's tool also automates identifying if embedded packages have outstanding vulnerabilities that have not been patched. Using this system, over 30 previously unknown vulnerabilities were identified in Linux distributions. These results are now starting to be used by vendors to track embedded packages.
They Found five packages in Debian and Fedora that were vulnerable to a buffer overflow found in libtiff. Mozilla Firefox had embedded libpng and was vulnerable for more than three months after the flaw was discovered. While about 90 per cent of vulnerabilities produced by the tool were false-positives, Cesare said vetting the results takes seconds and was considerably faster than using manual processes.
Fedora incorporated Cesare’s results in an embedded library list database. Cesare said he will publish an academic paper on the subject and plans to similar conduct binary analysis for Windows platforms.
This project is open source and available to download from Github.