Developers sometimes statically link libraries from other projects, maintain an internal copy of other software or fork development of an existing project. This practice can lead to software vulnerabilities when the embedded code is not kept up to date with upstream sources. As a result, manual techniques have been applied by Linux vendors to track embedded code and identify vulnerabilities. We propose an automated solution to identify embedded packages, which we call package clones, without any prior knowledge of these relationships. Our approach identifies similar source files based on file names and content to identify elationships between packages. We extract these and other features to perform statistical classification using machine learning. We evaluated our automated system named Clonewise against Debian's manually created database.
Clonewise had a 68% true positive rate and a false positive rate of less than 1%. Additionally, our system detected many package clones not previously known or tracked. Our results are now starting to be used by Linux vendors such as Debian and Redhat to track embedded packages. Redhat started to track clones in a new wiki, and Debian are planning to integrate Clonewise into the operating procedures used by their security team. Based on our work, over 30 unknown package clone vulnerabilities have been identified and patched.
Silvio Cesare is a PhD student at Deakin University. His research is supported by a full scholarship under a Deakin University Postgraduate Research Award. His research interests include malware detection and automated vulnerability discovery using static analysis of executable binaries. He has previously spoken at industry conferences including Blackhat, Cansecwest, Ruxcon, and has published in academic journals such as IEEE Transactions on Computers. He is also author of the book Software Similarity and Classification, published by Springer. He has worked in industry within Australia, France and the United States. This work includes time as the scanner architect of Qualys – now the world's largest vulnerability assessment company. In 2008 he was awarded $5000 USD tied 3rd prize for the highest impact vulnerability reported to security intelligence company IDefense for an implementation specific IDS evasion bug in the widely deployed Snort software. He has a Bachelor of Information Technology and a Master of Informatics by research from CQUniversity where he was awarded with two academic prizes during his undergraduate degree, and a University Postgraduate Research Award full scholarship during his Masters degree