{"id":31035726,"url":"https://github.com/ossf/reliable-software-decomposition","last_synced_at":"2026-02-15T04:35:53.913Z","repository":{"id":294479506,"uuid":"984897336","full_name":"ossf/reliable-software-decomposition","owner":"ossf","description":"Reliable Software Decomposition SIG","archived":false,"fork":false,"pushed_at":"2025-05-20T15:36:29.000Z","size":12,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-14T03:47:22.075Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-16T17:39:19.000Z","updated_at":"2025-05-20T15:36:32.000Z","dependencies_parsed_at":"2025-05-22T07:00:29.645Z","dependency_job_id":null,"html_url":"https://github.com/ossf/reliable-software-decomposition","commit_stats":null,"previous_names":["ossf/reliable-software-decomposition"],"tags_count":0,"template":false,"template_full_name":"ossf/project-template","purl":"pkg:github/ossf/reliable-software-decomposition","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Freliable-software-decomposition","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Freliable-software-decomposition/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Freliable-software-decomposition/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Freliable-software-decomposition/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/reliable-software-decomposition/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Freliable-software-decomposition/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29469606,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-15T04:35:06.950Z","status":"ssl_error","status_checked_at":"2026-02-15T04:33:41.357Z","response_time":118,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-14T03:47:12.024Z","updated_at":"2026-02-15T04:35:53.908Z","avatar_url":"https://github.com/ossf.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# **Reliable Software Decomposition SIG**\n\nThe Reliable Software Decomposition SIG is a Special Interest Group at\nthe the sandbox stage. The SIG reports to the OpenSSF Security Tooling\nWorking Group.\n\n##\n**Motivation**\n\nDisassembly is a foundational step of a wide range of software\nmaintainance workflows, including debugging, profiling, reverse\nengineering, security analysis, dependency analysis, patching, binary\ntranslation, and optimization. Unfortunately, correct disassembly is\nundecidable and existing security and maintainance tools must rely on\ncomplex heuristics and manual work by experts. The resulting partial\nand/or inaccurate disassembly can lead to missed or erroneous\nvulnerability reports, inaccurate software composition analysis, or\nincorrect patches or optimizations.\n\nSome of the information required to make disassembly possible without\nthese complex heuristics is already available in existing toolchain\nartifacts, but enabled or used only to varying degrees. For example,\nmany system profiling tools depend on `.eh_frame` unwinding\nmetadata. Some other information, like the structure of assembly jump\ntables, is simply not available.\n\nThe goal of this special interest group is to develop a set of\nstandard practices (enabled toolchain flags, features, etc.) and/or\nextensions to ELF and associated toolchains to enable fully automated,\nreliable disassembly of the resulting binaries.\n\n##\n**Objective**\n\nOur planned initial deliverables will include a document compiling:\n- a list of existing areas where current disassemblers must rely on\n  heuristics,\n- a list of existing sources of metadata that could address these\n  deficiencies if enabled, and\n- a list of gaps that could be addressed with additional metadata\n  generated by toolchains.\n\nGuided by this deliverable, we then plan to draft a specification for\nwhat information must be included in an ELF object to enable\ndisassembly, where and how it can be found in an ELF binary, and what\nadditional data should be added as ELF extensions. We also plan to\ndevelop prototype implementations of the necessary extensions and work\nwith toolchain communities to incorporate the required features. If we\nhave developed sufficient community interest at this stage, we will\nexplore converting the SIG into a OpenSSF project to organize work on\nthe specification and tooling.\n\n##\n**Scope**\n\nThese efforts will be scoped to language-independent information about\nbinary programs; that is, improvements to the ELF standard and related\ntools that enable reliable disassembly rather than the more general\nproblem of decompilation. Initially, our efforts will focus on the\nx86_64 Linux platform, but the extensions should be platform agnostic\nwhere practicable.\n\n#\n**Get Involved**\n\n* Official communications occur on via the [Security Tools Working\n  Group](https://github.com/ossf/wg-security-tooling) and via Zoom\n  (see Meeting Times below).\n\n##\n**Meeting times**\n\n[Zoom](https://www.google.com/url?q=https%3A%2F%2Fzoom-lfx.platform.linuxfoundation.org%2Fmeeting%2F99818313684%3Fpassword%3D0152ec91-7511-480c-ba54-0ed7916c50aa\u0026sa=D\u0026ust=1748186700000000\u0026usg=AOvVaw1SlVwe_Q4cHpNtkxIukLg8) every other Monday @ GMT starting June 9, 2025.\n\nThe meeting invite is available on the public [OSSF Calendar](https://openssf.org/getinvolved/)\n\n#\n**Governance/Membership**\n\nThe [CHARTER.md](https://github.com/ossf/reliable-software-decomposition/blob/main/CHARTER.md)\noutlines the scope and governance of our group activities.\n\n* Lead: Scott Moore \u003cscott@galois.com\u003e, Galois, Inc.\n* Sponsor: Ryan Ware \u003cware@opensourceware.me\u003e\n\n#\n**Intellectual Property**\n\nIn accordance with the [OpenSSF Charter (PDF)](https://charter.openssf.org/), work produced by this group is licensed as follows:\n\n1. Software source code\n* Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;\n2. Data\n* Any of the Community Data License Agreements, available at https://www.cdla.io;\n3. Specifications\n* Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0\n4. All other Documentation\n* Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/\n\n**Antitrust Policy Notice**\n\nLinux Foundation meetings involve participation by industry\ncompetitors, and it is the intention of the Linux Foundation to\nconduct all of its activities in accordance with applicable antitrust\nand competition laws. It is therefore extremely important that\nattendees adhere to meeting agendas, and be aware of, and not\nparticipate in, any activities that are prohibited under applicable US\nstate, federal or foreign antitrust and competition laws.\n\nExamples of types of actions that are prohibited at Linux Foundation\nmeetings and in connection with Linux Foundation activities are\ndescribed in the Linux Foundation Antitrust Policy available at\nhttp://www.linuxfoundation.org/antitrust-policy. If you have questions\nabout these matters, please contact your company counsel, or if you\nare a member of the Linux Foundation, feel free to contact Andrew\nUpdegrove of the firm of Gesmer Updegrove LLP, which provides legal\ncounsel to the Linux Foundation.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Freliable-software-decomposition","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Freliable-software-decomposition","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Freliable-software-decomposition/lists"}