Open source software is everywhere these days. In particular, Linux is being used increasingly to power embedded systems of all kinds. That's good, but it's also a challenge, because the free software used in such products may not always be...
Open source software is everywhere these days. In particular, Linux is being used increasingly to power embedded systems of all kinds. That's good, but it's also a challenge, because the free software used in such products may not always be compliant with all the licences it is released under – notably the GNU GPL. For companies that sell such embedded systems using open source, it can be hard even finding out what exactly is inside, let alone whether it is compliant. Enter the new Binary Analysis Tool:
The Binary Analysis Tool is a modular framework that assists with auditing the contents of compiled software. It makes it easier and cheaper to look inside technology, and this helps compliance and due diligence activities.
The tool is freely available to everyone. The community can use it and participate in further development, and work together to help reduce errors when shipping devices or products containing Free and Open Source Software.
Support for this software has been provided by Linux Foundation: the latter's involvement gives an idea of how important it considers this kind of tool for the Linux ecosystem. The code is released under the Apache licence.
One of the companies behind the Binary Analysis Tool, Loohuis Consulting, has put together a useful guide [.pdf] to GPL compliance, which contains the following more detailed explanation of how problems arise:
Products are often not developed by the company that has its name on the box. There are few Western companies selling devices in large quantities to end consumers that do their own development. Even these companies that do are unlikely to do all the work themselves.
There are often quite a few companies involved in the development of a product. The Western companies buy their devices in Asia, most often from a Taiwanese, Chinese or sometimes a Korean company. In some cases a custom casing is developed for the product, but more often a generic casing is adapted with the company logo printed on the casing. The manual and packaging are also adapted to taste (company logos, contact information, etcetera) and everything is shipped to the West. The Western companies do distribution, marketing, end user support, rebates, and so on.
The company where the devices are produced use a board design with a SDK, which they get from another upstream vendor, often the chip vendor. There can be additional layers in between. The engineers at the Taiwanese company, or any of the other layers, sometimes add some extra code, or make other changes using the SDK. The extra code might contain kernel drivers for various hardware components in the device, such as wireless network cards, or software firewalling modules.
These changes may be fully, partially or not at all integrated into the source archive from the SDK. If the sources are not or partially integrated the result is that the sources distributed as the "GPL sources" are not complete.
The current capabilities of the code include the following:
Technically speaking, the Binary Analysis Tool tries to detect if object code (or parts of it) resulted from the compilation of specified source code (or parts of it). At the moment the tool supports:
Automated extraction of the version and configuration of BusyBox
Extraction of file systems
Automated checking for the Linux kernel
Brute force scanning of firmware
Feeding known information through a knowledgebase
The reason for the explicit mention of BusyBox is explained in the compliance guide:
Busybox is a program that combines a lot of functionality of programs into one, while leaving out the more advanced features of many of the GNU tools. It is the Swiss army knife of embedded Linux and nearly default on embedded Linux devices. It works by making a symlink from a program to the busybox binary. Depending on as which program it is invoked it will behave differently.
All-in-all, this new software is a welcome addition to the corporate and hacker toolchest: it means that more embedded systems can be brought into compliance, which is good in itself, but it will also make even more apparent the continuing rise of free software in this important domain, which should help spread it yet further.