Finding software license violations through binary code clone detection

“…When confronted with the presence of code cloning within a software system, a manager will want to understand why the decision was made to do so, and what the perceived short-and long-term trade-offs are. Cloning across different projects is more difficult to manage; of special concern is the possibility of code from an open source project being inserted into a closed source system [4,2], which may open up the company to legal action, such as was alleged in the recent lawsuit involving Oracle and Google [18].…”

Section: The Problem Of Software Development Provenancementioning

confidence: 99%

“…For example, when a manager finds a section of code that is involved in an unusually large number of problems, he may wish to find out how old the code in question is, which developers have been working on it recently, which change sets it has been involved in, and which features, quality attributes, and bug fixes it implements. When a IP lawyer is concerned about a claim of open source licensing violations within a closed source system, she may wish to be able to track the design history of the code in question [4]. When a software architect is trying to understand the current design of a module within a software system, he may wish to be able to compare the change history against discussions in the developer mailing list archives [5].…”

Section: Introductionmentioning

confidence: 99%

Understanding software artifact provenance

Godfrey

2015

Science of Computer Programming

View full text Add to dashboard Cite

In a well designed software system, units of related functionality are organized into modules and classes, which are in turn arranged into inheritance trees, package hierarchies, components, libraries, frameworks, and services. The trade-offs between simplicity versus flexibility and power are carefully considered, and interfaces are designed that expose the key functional properties of a component while hiding much of the complexity of the implementation details. However, over time the design integrity of a well-engineered system tends to decay as new features are added, as new quality attributes are emphasized, and as old architectural knowledge is lost when experienced development personnel shift to new jobs. Consequently, as developers and as users we often find ourselves looking at a piece of functionality or other design artifact and wondering, "Why is this here?" That is, we would like to examine the provenance of an artifact to understand its history and why it is where it is within the current design of the system.In this brief paper, we sketch some of the dimensions of the broad problem of extracting and reasoning about the provenance of software development artifacts. As a motivating example, we also describe some recent related work that uses hashing to quickly and accurately identify version information of embedded Java libraries.Keywords: Software artifact provenance, software analytics, code cloning Paul, it is easy to be impressed by your body of work at a distance. There are so many important and well-cited papers over many years, and the tools and techniques you and your group have contributed have had concrete and demonstrable impact on the research community. But when I spent my sabbatical at CWI, I learned an awful lot from you about running a research group, and getting the best out of talented people. You make it seem so easy and effortless, although I know it is neither. Your management style is low key and encouraging, yet the yield is so high. Perhaps most importantly, I have seen how the young researchers you supervise -many of whom go on to careers in industry -come away with justifiable pride in their efforts, an understanding of exactly how their work fits into the grand scheme of things, and a strong belief in the value of research itself. Surely this is the right way to build an ongoing, vibrant, and collegial community of scientists, engineers, and practitioners.

show abstract

“…In contrast, since the goal of Rendezvous is to do binary clone matching across different code bases, we needed to address the compiler optimisation problem and we believe our technique to be sufficiently accurate to be successful. Hemel et al [18] looked purely at strings in the binary to uncover code violating the GNU public license. The advantage of their technique was that it eliminated the need to perform disassembly.…”

Section: Related Workmentioning

confidence: 99%

Rendezvous: A search engine for binary code

Khoo

Mycroft

Anderson

2013

2013 10th Working Conference on Mining Software Repositories (MSR)

View full text Add to dashboard Cite

The problem of matching between binaries is important for software copyright enforcement as well as for identifying disclosed vulnerabilities in software. We present a search engine prototype called Rendezvous which enables indexing and searching for code in binary form. Rendezvous identifies binary code using a statistical model comprising instruction mnemonics, control flow sub-graphs and data constants which are simple to extract from a disassembly, yet normalising with respect to different compilers and optimisations. Experiments show that Rendezvous achieves F2 measures of 86.7% and 83.0% on the GNU C library compiled with different compiler optimisations and the GNU coreutils suite compiled with gcc and clang respectively. These two code bases together comprise more than one million lines of code. Rendezvous will bring significant changes to the way patch management and copyright enforcement is currently performed.

show abstract

Finding software license violations through binary code clone detection

Cited by 115 publications

References 20 publications

On the Detection of Licenses Violations in the Android Ecosystem

On the Detection of Licenses Violations in the Android Ecosystem

Understanding software artifact provenance

Rendezvous: A search engine for binary code

Contact Info

Product

Resources

About