October 2015
16
T
ools
& S
oftware
Modern static analysis tools are popular
because they have proven to be effective,
they are simple to introduce, and they can be
used by development, QA, and security audit
teams. Furthermore, in contrast to traditional
dynamic testing, the code analyzed is never
executed, so there is no additional test case
development overhead and static analysis can
be applied very early in the development pro-
cess. When programmers use static analysis as
soon as code is written, bugs and security vul-
nerabilities can be found and eliminated even
before the unit testing or integration testing
phases begin. The earlier a defect is found, the
cheaper it is to fix; this cost saving is a major
advantage of automated static analysis.
Fortunately, static analysis tools for source and
binary have the ability to detect vulnerabili-
ties before products are shipped, dramatically
reducing security threats and corporate expo-
sures that cost organizations several millions
of dollars. We’ve seen this numerous times
in the recent news, for example with Toyo-
ta’s unintended acceleration issue estimated
to cost $3 billion in addition to the brand’s
first black eye; with the potential safety haz-
ards arising from the recently-hacked Ucon-
nect vulnerability of the Jeep, affecting over
470,000 vehicles; and with the recent hack-
ing of several SCADA systems, most notably
the Stuxnet exploitation, used to attack and
destroy industrial equipment.
It’s simply unacceptable for development
teams today not to provide the added level
of software assurance needed that is available
with static analysis tools. CodeSonar can be
easily deployed for the cost of a developer’s
morning coffee and scone.
Over the last few years, third-party code has
moved from a minor factor in software devel-
opment to a dominant force in the industry.
It is now used throughout software develop-
ment in all applications, from highly sensitive
government applications to security-intensive
financial systems to safety-critical applica-
tions to consumer and mobile applications.
According to the latest report from VDC
Research, the majority of software that runs on
embedded devices is now developed by exter-
nal sources, not in-house development teams.
Some of this is open-source, but in embed-
ded applications, nearly 30% of code is third-
party commercial software – so the source is
often unavailable. Such components include
graphics toolkits, cryptography libraries, and
communications middleware (network, USB,
Bluetooth), which make up nearly 70% of the
common embedded attack vendors.
GrammaTech, leveraging over 10 years of col-
laborative research, has developed a binary
analysis capability to examine third-party
code without requiring access to source code.
This capability is fully integrated within our
proven static analysis tool, CodeSonar, the
first and only commercially-available binary
analysis product. CodeSonar binary analysis
technology provides developers with the abil-
ity to evaluate, check, and inspect third-party
code, and provides businesses with more
options within their supply chain, enabling
them to utilize software from new, innovative
companies that might not have an established
reputation. When source code is available, you
can use CodeSonar in mixed source/binary
mode, analyzing your complete application.
The days of developing a standalone appli-
cation are gone – the Internet of Things has
rapidly forced manufacturers to rethink how
their products will support today’s connected
economy, and changed the threat landscape
forever. Today reality is that there are edu-
cated attackers whose sole function is to break
into IoT systems for many reasons, including
fun, intellectual stimulation, profit, or worse,
offensive attacks and terrorism.
Software development teams must nowadays
adopt a robust secure design lifecycle, giving
them the insights and capability to get it right
first, to prevent these attackers from having a
chance at breaking in. A general rule of thumb
for teams to follow involves an end-to-end
threat assessment ,from a third-party audit
team, security-optimized designs, and securi-
ty-scanning tools, of source and binaries.
CodeSonar is ideal for zero-defect tolerance
embedded environments because it analyzes
both source and binary code to identify seri-
ous security and quality liabilities that cause
system crashes, memory corruption, data
races, and other unexpected vulnerabilities.
CodeSonar 4.1 includes new distributed anal-
Figure 1. CodeSonar static-analysis tool for source and binary have the ability to detect
vulnerabilities before products are shipped, dramatically reducing security threats and corporate
exposures
Figure 2. The precision of CodeSonar taint analysis capabilities has substantially increased, which
includes new tainted buffer access and indirect function call checkers
