Page 74 - Cyber Warnings
P. 74
IMPROVING QUALITY AND SECURITY WITH BINARY ANALYSIS
by Bill Graham, Technical Marketing Consultant, GrammaTech
Introduction:
Companies serious about quality, safety, and security need to manage the risks in their supply
chain, including software such as commercial of the shelf (COTS) and free and open source
software (FOSS).
In addition, existing and legacy code may have undetected vulnerabilities. Static analysis,
especially analysis of binary files, provides an easy-to-adopt and efficient approach to improving
the quality and security of the reused and third-party software.
Beyond Static Source Analysis
CodeSonar's binary analysis technology can evaluate object and library files for quality and
security vulnerabilities. Although the possibility of investigating and fixing the issues is often
limited, it does provide a bellwether of the quality and security of the code.
Customers of COTS products can go back to technical support of the vendor and ask for
confirmation and analysis of the discovered vulnerabilities.
Binary analysis really shines when used in a hybrid fashion with source analysis. Source
code analysis can use more information about the intent and design of the software than binary
analysis. But whenever an external library is called, including standard C/C++ libraries, source
code analysis can't tell if the use of the function is correct or not (assumptions are made, of
course, for well known functions like strcpy() ).
By combining source and binary analysis, a more complete analysis is possible. For example, if
an external function takes a pointer to a buffer and a buffer overflow is possible with misused
parameters, hybrid static analysis can detect this problem.
Information Flow and Tainted Data Analysis
Static analysis (binary and source-based) can track data flow through an application from
source to sink (where it is finally used). Tainted data, that which is unchecked or unfiltered, can
create unwanted behavior and purposely disrupt a system.
Inducing buffer overflows, for example, by entering large strings as user input can be a safety
and security hazard, if unchecked.
74 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
