Page 8 - Cyber Warnings
P. 8
The Advantages of Hybrid Source and Binary Static Analysis for
Security Vulnerability Detection
by Bill Graham, Technical Marketing Specialist, GrammaTech
Introduction
Binary code static analysis is a recent innovation introduced in 2013. Before then, the only
option for binary analysis was to ship your code to specialists who would analyze it and send it
back to you with a list of problems. Bringing a commercial binary analysis tool to the market
enabled our customers to keep their code in-house and factor binary-only code (such as linked
libraries and other third-party code) into safety and security from the beginning of development.
Within CodeSonar, binary and source analysis can be done simultaneously on a development
project, and the resulting hybrid mode analysis (we call it "mixed mode" at GrammaTech) has
many advantages over source-only analysis. In this post, I look at how having both is a clear
advantage in analyzing and remediating security vulnerabilities and software defects.
An Insider Attack
A rather nasty exploit was discovered in the open source project Unreal IRCD as reported in
CVE-2010-2075. In this case external data received over a socket connection is used
unchecked to perform system commands – a textbook command injection vulnerability. Figure 1
and 2 illustrate the source code in question in the read_packet() function.
Figure 1: CodeSonar error report warning of a read from a connected socket and stored in
readbuf.
8 Cyber Warnings E-Magazine January 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
