Developers sometimes statically link libraries from 3rd party projects, maintain an internal copy of 3rd party software or fork development of an existing 3rd party project. This practice can lead to software vulnerabilities when the embedded code is not kept up to date with upstream sources. As a result, manual techniques have been applied by Linux vendors to track embedded code and identify vulnerabilities.

In this talk, Silvio will release an automated solution to identify embedded packages without any prior knowledge of such relationships. This approach identifies similar source files based on file names and content to identify relationships between source packages. Graph theory is used to perform the analysis. Silvio's tool also automates identifying if embedded packages have outstanding vulnerabilities that have not been patched. Using this system, over 30 previously unknown vulnerabilities were identified in Linux distributions. These results are now starting to be used by vendors to track embedded packages.