Software development company Loohuis Consulting and process management consultancy OpenDawn have released a new binary analysis tool that is designed to detect Linux and BusyBox in binary firmware. The program, which is freely available for download, is intended to aid open source license compliance efforts.

Open source software licenses broadly enable redistribution of application source code, but some impose additional stipulations on derivatives. There is an entire class of reciprocal open source software licenses, sometimes called "copyleft" licenses, that require derivatives to be distributed under the same terms as the original code base. The purpose of such licenses is to ensure that third-party enhancements to the code are disclosed and made available to all members of the community.

The most popular copyleft license, the GNU General Public License (GPL), has become a powerful enabler of collaboration, but a growing number of companies fall afoul of its requirements. Bradley Kuhn, the technical director of the Software Freedom Law Center (SFLC) revealed last year that he finds an average of one new GPL violator every day. A GPL violation constitutes copyright infringement and puts the violator in a position where they risk having their license to use the software terminated. The SFLC and a handful of other organizations such as gpl-violations.org, attempt to educate companies about GPL compliance and help them conform with the requirements of the license.

In rare instances, some open source software projects have used litigation in response to persistent and uncorrected violations. For example, the open source BusyBox project—which provides a set of command-line tools and a lightweight interactive shell for mobile Linux computing environments—has been at the center of a string of GPL enforcement lawsuits targeted at mainstream consumer electronics vendors.

As licensing enforcement experts have explained in the past, compliance is not particularly burdensome—companies really just need to pay attention and do due diligence. That is one area where the new binary analysis tool could potentially be helpful. The tool is developed by Armijn Hemel and Shane Coughlan, the people behind the two consulting firms that released the software. Hemel is widely-known for his contributions to the gpl-violations.org effort.

The tool is designed to analyze binary device firmware images in order to detect software. It can extract BusyBox version and configuration data and find strings that indicate the presence of the Linux kernel. It is built around an extensible "knowledgebase" which means that it can be extended to scan for other specific pieces of software. It could be useful tool for companies that are uncertain about the contents of their firmware and want to verify whether it contains Linux or BusyBox.

Developed with funding from the Linux Foundation and the NLnet Foundation, the binary analysis tool is distributed under the permissive Apache license. It is available for download from the project's website, along with some introductory documentation and other details. The source code, which is largely written in the Python programming language, is available from the project's public Subversion repository.