Abstract

As open-source software (OSS) is widely used, many IT organizations adopt OSS without obeying some guidelines for open-source license agreements. To reduce risks related to open-source licenses, the organizations should meet the requirements for OSS licenses. Because some OSS components may be given from major upstream suppliers in binary form, it is very hard to verify whether a binary program contains unlicensed OSS components. In this paper, we propose a novel technique for determining whether a binary includes certain OSS components without respecting the OSS licensing terms. Our technique employs function-level static software birthmark to detect code clones in binaries. In our technique, the birthmark is a sequence of the size information of arguments and local variables of functions inside a binary, and the similarity between birthmarks is computed using semi-global sequence alignment or k-gram method. We evaluate the effectiveness of the proposed techniques by performing experiments with some binaries and OSS components.