Overview

Programmers often copy code from one program to another. Unfortunately when patches to buggy code are not propagated to all code clones, this leaves one or more programs still vulnerable. To study how widespread the problem of unpatched code clone truly is and to provide a tool that can help developers fight against it, we developed ReDeBug, a system to quickly find unpatched code clones in code bases at the scale of entire OS distributions.

Using ReDeBug, we examined over 2.1 billion lines of code from all packages in Debian Lenny/Squeeze, Ubuntu Maverick/Oneiric, all C and C++ projects in SourceForge, and also the Linux kernel. ReDeBug identified 15,546 unpatched copies of known vulnerable code, and sample unpatched code clones identified in our datasets are available:

Debian Squeeze (Nov 2011)
Ubuntu Oneiric (Nov 2011)
Debian Lenny (Jan 2011)
Ubuntu Maverick (Mar 2011)
SourceForge (Mar 2011)

Some unpatched code clones may not be vulnerable when the identified code is used in non-exploitable environments.
Please refer to our research paper and article for technical details.

Source Code

ReDeBug source code is available at here.