Modern software is typically composed of numerous components, such as third-party open source packages. To prevent legal or security problems, software vendors must identify the components (including their licenses) used to create the binaries they ship. This requires knowing exactly which source code files and other artifacts are used to create a given binary, and how they are used (e.g.whether libraries are statically or dynamically linked). In this talk I will we show a generic method to reverse-engineer this information from the build processes of software products. The method traces system calls to determine the composition graph of sources and binaries involved in build processes.
Speakers: Armijn Hemel