19th-20th November 2011 - Melbourne, Australia
Developers sometimes statically link libraries from 3rd party projects, maintain an internal copy of 3rd party software or fork development of an existing 3rd party project. This practice can lead to software vulnerabilities when the embedded code is not kept up to date with upstream sources. As a result, manual techniques have been applied by Linux vendors to track embedded code and identify vulnerabilities.
In this talk, Silvio will release an automated solution to identify embedded packages without any prior knowledge of such relationships. This approach identifies similar source files based on file names and content to identify relationships between source packages. Graph theory is used to perform the analysis. Silvio's tool also automates identifying if embedded packages have outstanding vulnerabilities that have not been patched. Using this system, over 30 previously unknown vulnerabilities were identified in Linux distributions. These results are now starting to be used by vendors to track embedded packages.
Silvio Cesare is a PhD student at Deakin University. His research interests include Malware detection and automated vulnerability discovery using static analysis of executable binaries.
He has previously spoken at conferences including Blackhat, Cansecwest, Ruxcon, and academic outlets. Silvio spoke at the first Ruxcon in 2003 on open source kernel vulnerabilities. He has worked in industry including time as the scanner architect of the vulnerability management company, Qualys.