Tool for detecting vulnerabilities in Linux libraries

A program package for an open source operating system Linux, that finds flaws and possible vulnerabilities in embedded Linux libraries, has been released.

The flaws are first being searched for in third party program packages by being compared with a base of known unsafe packages MVE. The tool than uses a program package “ssdip” to find similar program packages to those unsafe ones using similar file names and source code itself. According to words by its inventor, Silvio Cesare, over 90% of the results are false positive, in other words this tools shows more flaws than there actually exist. However, it is much easier to check a few packages for vulnerabilities and rule out some then to do all this work by hand, as was done previously. During the development of the tool Cesare found over 30 flaws in standard embedded Linux operating system libraries. Linux distributions like Debian and Fedora also resolved some of their library vulnerabilities with this tool, and a security flaw has been found in a library used by a popular Internet browser by the company Mozilla, Firefox. Original news was published at SC Magazine web site.