By Bill Graham, Technical Marketing Consultant, GrammaTech

Introduction:
Companies serious about quality, safety, and security need to manage the risks in their supply chain, including software such as commercial of the shelf (COTS) and free and open-source software (FOSS).

In addition, existing and legacy code may have undetected vulnerabilities. Static analysis,
especially the analysis of binary files provides an easy-to-adopt and efficient approach to improving the quality and security of the reused and third-party software.

Beyond Static Source Analysis
CodeSonar’s binary analysis technology can evaluate object and library files for quality and
security vulnerabilities. Although the possibility of investigating and fixing the issues is often limited, it does provide a bellwether of the quality and security of the code.

Customers of COTS products can go back to the technical support of the vendor and ask for
confirmation and analysis of the discovered vulnerabilities.

Binary analysis really shines when used in a hybrid fashion with source analysis. Source
code analysis can use more information about the intent and design of the software than binary analysis. But whenever an external library is called, including standard C/C++ libraries, source code analysis can’t tell if the use of the function is correct or not (assumptions are made, of course, for well-known functions like strcpy() ).

By combining source and binary analysis, a more complete analysis is possible. For example, if an external function takes a pointer to a buffer and a buffer overflow is possible with misused parameters, hybrid static analysis can detect this problem.

Information Flow and Tainted Data Analysis
Static analysis (binary and source-based) can track data flow through an application from
source to sink (where it is finally used). Tainted data, that which is unchecked or unfiltered, can create unwanted behavior and purposely disrupt a system.

Inducing buffer overflows, for example, by entering large strings as user input can be a safety and security hazard, if unchecked.

Binary analysis furthers this capability by continuing the data flow trace into binary code, where such analysis is impossible with source-only analysis.

Tool Chain Errors and Backdoors
Binary analysis augments static source code analysis by detecting tool-chain induced errors and vulnerabilities. Backdoors have been placed in C/C++ compilers in the past and remain virtually undetected for years.

The binary analysis allows developers to evaluate the results of source-based and binary results to make sure quality and security issues are not introduced by the toolchain.

Multiplatform Support
Binary analysis is hardware CPU architecture-dependent, as one would guess, given nature
of binary code. GrammaTech CodeSonar’s Binary Analysis supports both the x86 and ARM
platforms, which cover a large majority of embedded, mobile and embedded devices in the
marketplace.

Conclusion:
It’s critical that potential vulnerabilities, quality, and safety defects are detected and accounted for before code is used in a final product. Proper supply-chain risk management requires due diligence for reusing code, whether that’s in-house, free or open-source, or from commercial vendors.

The binary analysis provides an important tool for evaluating quality, security, and safety before it becomes part of your product.

About The Author
Bill Graham is a seasoned embedded software development manager with years of development, technical product marketing, and product management experience. Bill can be reached online at @Bill_Graham and at http://iot.williamgraham.ca.