Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ossf/reliable-software-decomposition

Reliable Software Decomposition SIG
https://github.com/ossf/reliable-software-decomposition

Last synced: 4 months ago
JSON representation

Reliable Software Decomposition SIG

Awesome Lists containing this project

README 

          
# **Reliable Software Decomposition SIG**



The Reliable Software Decomposition SIG is a Special Interest Group at

the the sandbox stage. The SIG reports to the OpenSSF Security Tooling

Working Group.



##

**Motivation**



Disassembly is a foundational step of a wide range of software

maintainance workflows, including debugging, profiling, reverse

engineering, security analysis, dependency analysis, patching, binary

translation, and optimization. Unfortunately, correct disassembly is

undecidable and existing security and maintainance tools must rely on

complex heuristics and manual work by experts. The resulting partial

and/or inaccurate disassembly can lead to missed or erroneous

vulnerability reports, inaccurate software composition analysis, or

incorrect patches or optimizations.



Some of the information required to make disassembly possible without

these complex heuristics is already available in existing toolchain

artifacts, but enabled or used only to varying degrees. For example,

many system profiling tools depend on `.eh_frame` unwinding

metadata. Some other information, like the structure of assembly jump

tables, is simply not available.



The goal of this special interest group is to develop a set of

standard practices (enabled toolchain flags, features, etc.) and/or

extensions to ELF and associated toolchains to enable fully automated,

reliable disassembly of the resulting binaries.



##

**Objective**



Our planned initial deliverables will include a document compiling:

- a list of existing areas where current disassemblers must rely on

  heuristics,

- a list of existing sources of metadata that could address these

  deficiencies if enabled, and

- a list of gaps that could be addressed with additional metadata

  generated by toolchains.



Guided by this deliverable, we then plan to draft a specification for

what information must be included in an ELF object to enable

disassembly, where and how it can be found in an ELF binary, and what

additional data should be added as ELF extensions. We also plan to

develop prototype implementations of the necessary extensions and work

with toolchain communities to incorporate the required features. If we

have developed sufficient community interest at this stage, we will

explore converting the SIG into a OpenSSF project to organize work on

the specification and tooling.



##

**Scope**



These efforts will be scoped to language-independent information about

binary programs; that is, improvements to the ELF standard and related

tools that enable reliable disassembly rather than the more general

problem of decompilation. Initially, our efforts will focus on the

x86_64 Linux platform, but the extensions should be platform agnostic

where practicable.



#

**Get Involved**



* Official communications occur on via the [Security Tools Working

  Group](https://github.com/ossf/wg-security-tooling) and via Zoom

  (see Meeting Times below).



##

**Meeting times**



[Zoom](https://www.google.com/url?q=https%3A%2F%2Fzoom-lfx.platform.linuxfoundation.org%2Fmeeting%2F99818313684%3Fpassword%3D0152ec91-7511-480c-ba54-0ed7916c50aa&sa=D&ust=1748186700000000&usg=AOvVaw1SlVwe_Q4cHpNtkxIukLg8) every other Monday @ GMT starting June 9, 2025.



The meeting invite is available on the public [OSSF Calendar](https://openssf.org/getinvolved/)



#

**Governance/Membership**



The [CHARTER.md](https://github.com/ossf/reliable-software-decomposition/blob/main/CHARTER.md)

outlines the scope and governance of our group activities.



* Lead: Scott Moore , Galois, Inc.

* Sponsor: Ryan Ware 



#

**Intellectual Property**



In accordance with the [OpenSSF Charter (PDF)](https://charter.openssf.org/), work produced by this group is licensed as follows:



1. Software source code

* Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;

2. Data

* Any of the Community Data License Agreements, available at https://www.cdla.io;

3. Specifications

* Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0

4. All other Documentation

* Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/



**Antitrust Policy Notice**



Linux Foundation meetings involve participation by industry

competitors, and it is the intention of the Linux Foundation to

conduct all of its activities in accordance with applicable antitrust

and competition laws. It is therefore extremely important that

attendees adhere to meeting agendas, and be aware of, and not

participate in, any activities that are prohibited under applicable US

state, federal or foreign antitrust and competition laws.



Examples of types of actions that are prohibited at Linux Foundation

meetings and in connection with Linux Foundation activities are

described in the Linux Foundation Antitrust Policy available at

http://www.linuxfoundation.org/antitrust-policy. If you have questions

about these matters, please contact your company counsel, or if you

are a member of the Linux Foundation, feel free to contact Andrew

Updegrove of the firm of Gesmer Updegrove LLP, which provides legal

counsel to the Linux Foundation.