INTRODUCTION:
Companies serious about quality, safety, and security need to manage the risks in their supply chain, including software such as commercial of the shelf (COTS) and free and open source software (FOSS). In addition, existing and legacy code may have undetected vulnerabilities. Static analysis, especially analysis of binary files, provides an easy-to-adopt and efficient approach to improving the quality and security of the reused and third-party software.
Related:
- GrammaTech Announces Binary Analysis Support for ARM
- Eliminating Vulnerabilities in Third-Party Code with Binary Analysis
- Strange Loops: Ken Thompson and the Self-referencing C Compiler
Beyond Static Source Analysis
CodeSonar’s binary analysis technology can evaluate object and library files for quality and security vulnerabilities. Although the possibility of investigating and fixing the issues is often limited, it does provide a bellwether of the quality and security of the code. Customers of COTS products can go back to technical support of the vendor and ask for confirmation and analysis of the discovered vulnerabilities.
Binary analysis really shines when used in a hybrid fashion with source analysis. Source code analysis can use more information about the intent and design of the software than binary analysis. But whenever an external library is called, including standard C/C++ libraries, source code analysis can’t tell if the use of the function is correct or not (assumptions are made, of course, for well known functions like strcpy() ). By combining source and binary analysis, a more complete analysis is possible. For example, if an external function takes a pointer to a buffer and a buffer overflow is possible with misused parameters, hybrid static analysis can detect this problem.
Information Flow and Tainted Data Analysis
Static analysis (binary and source-based) can track data flow through an application from source to sink (where it is finally used). Tainted data, that which is unchecked or unfiltered, can create unwanted behavior and purposely disrupt a system. Inducing buffer overflows, for example, by entering large strings as user input can be a safety and security hazard, if unchecked. Binary analysis furthers this capability by continuing the data flow trace into binary code, where such analysis is impossible with source-only analysis.
Tool Chain Errors and Backdoors
Binary analysis augments static source code analysis by detecting tool-chain induced errors and vulnerabilities. Backdoors have been placed in C/C++ compilers in the past and remain virtually undetected for years. Binary analysis allows developers to evaluate the results of source-based and binary results to make sure quality and security issues are not introduced by the tool chain.
Multiplatform Support
Binary analysis is hardware CPU architecture-dependent, as one would guess, given the nature of binary code. GrammaTech CodeSonar for Binary Analysis support both the x86 and ARM platforms, which covers a large majority of embedded, mobile and embedded devices in the marketplace. (ARM support will be available in Q2.)
CONCLUSION:
It’s critical that potential vulnerabilities, quality and safety defects are detected and accounted for before code is used in a final product. Proper supply-chain risk management requires due diligance for reusing code, whether that’s in-house, free or open-source, or from commercial vendors. Binary analysis provides an important tool for evaulating quality, security, and safety before it becomes part of your product.
