GrammaTech Extends the Reach of Static Analysis

Engineers, engineering managers and executives involved in building safety and security critical embedded systems will soon have two new tools available to find more bugs earlier, and fix them quicker. GrammaTech, a leading provider of software assurance tools and cybersecurity solutions, today announced two new products: CodeSonar/Libraries and CodeSonar/X.

CodeSonar is the first static analysis tool that can extend source code static analysis into libraries that are only available in binary form through its CodeSonar/Libraries plugin. Other static analysis tools for source code ignore calls into binary libraries — effectively treating those calls as if they were not there. With 25% of embedded projects utilizing third party libraries, according to VDC Research, this simplification easily leads to undetected problems (false negatives). Proper reasoning about the source code requires interpreting effects of the library code. This simplification also misses problems caused by misuse of the library API. CodeSonar/Libraries adds the capability to seamlessly switch between source and binary analysis as it examines possible paths through the program. This results in a net increase of the number of problems detected in the user’s source code. Many software development projects use binary libraries with content from third party vendors, or from existing legacy code. Examples of these include firmware, operating system libraries, graphical user interface subsystems, or middleware layers such as CORBA, DDS, MQTT or others.

CodeSonar/X is a ground-breaking new capability connecting static analysis with dynamic analysis to help software developers improve efficiency, further reduce risk and decrease time-to-market. This plug-in for GrammaTech’s CodeSonar reports state corruptions during host-based testing by monitoring memory access. It combines static and dynamic violations and reports them in the CodeSonar User Interface, helping engineers correlate and prioritize.

“The use of libraries as well as state corruption due to buffer overruns are often blind spots for software development teams,” says Mark Hermeling, Senior Director Product Marketing at GrammaTech, Inc. “Incorrect use of libraries can lead to difficult to detect run-time errors, while a missed buffer overrun can lead to a cyber vulnerability, which can have a severe impact on safety and security critical devices. CodeSonar/Libraries and CodeSonar/X demonstrate GrammaTech’s innovation and thought leadership in the field of static analysis for devices where failure is not an option.”

CodeSonar/Libraries is available now, with CodeSonar/X following later this year. Existing customers can contact GrammaTech for access to these ground-breaking technologies. For more information, visit GrammaTech and partner VerifySoft at Booth 4-423, or attend their exhibitor presentation “Static Analysis++” on 28.02.2018 at 10.00-10.30 in Hall 4, stand 4-328.

This material is based upon work supported by the U.S. Department of Homeland Security under Contract No. HSHQDC-16-C-00099.  Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. Department of Homeland Security.

About GrammaTech

GrammaTech’s advanced static analysis tools are used by software developers worldwide, spanning a myriad of embedded software industries including avionics, government, medical, military, industrial control, and other applications where reliability and security are paramount. Originally developed within Cornell University, GrammaTech is now a leading research center for software security and a commercial vendor of software-assurance tools and advanced cyber-security solutions. With both static and dynamic analysis tools that analyze source code as well as binary executables, GrammaTech continues to advance the science of superior software analysis, providing technology for developers to produce safer software. For more information, visit www.grammatech.com or follow us on LinkedIn.