GrammaTech, a leading provider of software assurance, hardening, and cyber-security solutions, today announced expansion of CodeSonar’s static analysis engine to include binary analysis for ARM, the dominant processor of the Internet of Things (IoT). CodeSonar is the only commercially-available static analysis tool on the market to provide binary analysis, allowing engineering teams to analyze application software, middleware, and firmware.
Analyzing machine code has become extremely important in the expanding world of IoT, where deployed devices are subjected to countless cyber-attacks. Furthermore, according to VDC’s most recent report, in-house developed code now only accounts for 54% of a device’s software makeup. The remaining comes from commercial and open-source third parties riddled with risk, including software of uncertain provenance.
“The Internet of Things isn’t coming – it’s here,” said Marc Brown, CMO and VP of Sales at GrammaTech. “Leaving third-party code unverified isn’t an option anymore. Today’s devices are exponentially more complex, dependent on globally developed third-party software and needing to comply with stringent safety and security requirements, all within today’s fast-paced connected economy. Teams can’t afford to ignore binary analysis anymore. The risks and liabilities are too high.”
Analyze Third-Party Code with CodeSonar’s Binary Analysis
Today’s systems are at significant risk without knowing exactly what defects and vulnerabilities may lie within operating systems, drivers, middleware, or supplier applications. CodeSonar’s binary analysis allows you to analyze your x86 or ARM system via binary-only or mixed-mode analysis, identifying both source and binary defects hazardous to your device.
Track Information Flows with CodeSonar’s Tainted Data Analysis
CodeSonar’s analysis tracks potentially hazardous input data, to further mitigate risks from third-party and open-source code. With binary analysis, CodeSonar can identify potential exploitable data flows within an application, or between the application and libraries and drivers — so you can track potentially tainted inputs not just throughout your own code but also into or out from something you’re not writing but is critical to your potential functional flow (such as the many users of openssl discovered when the Heartbleed vulnerability was brought to light). Results of this analysis can be superimposed on a high-level graphical visualization of the architecture of the whole system, to allow engineers to see those notoriously hard-to-find tainted data pathways.
Identify Tool-Chain-Induced Vulnerabilities or Backdoors
By analyzing the machine code, teams can find anomalies that may not exist in source, created by unexpected build optimizations or through backdoors created by the build tool chain.
CodeSonar’s binary analysis support will be available in Q2, supporting static analysis for Intel x86 and x64 as well as ARM (including support for Thumb mode).