Static analysis engine now includes binary analysis for ARM

8th March 2016

Nat Bowers

0 0

GrammaTech has announced expansion of CodeSonar’s static analysis engine to include binary analysis for ARM, the dominant processor of the IoT. CodeSonar is the only commercially-available static analysis tool on the market to provide binary analysis, allowing engineering teams to analyse application software, middleware and firmware.

Analysing machine code has become extremely important in the expanding world of the IoT, where deployed devices are subjected to countless cyber-attacks. Furthermore, according to VDC’s most recent report, in-house developed code now only accounts for 54% of a device’s software makeup. The remaining comes from commercial and open-source third parties riddled with risk, including software of uncertain provenance.

“The Iot isn’t coming – it’s here,” said Marc Brown, CMO and Vice President of Sales, GrammaTech. “Leaving third-party code unverified isn’t an option anymore. Today’s devices are exponentially more complex, dependent on globally developed third-party software and needing to comply with stringent safety and security requirements, all within today’s fast-paced connected economy. Teams can’t afford to ignore binary analysis anymore. The risks and liabilities are too high."

Today’s systems are at significant risk without knowing exactly what defects and vulnerabilities may lie within OSes, drivers, middleware or supplier applications. CodeSonar’s binary analysis allows you to analyse your x86 or ARM system via binary-only or mixed-mode analysis, identifying both source and binary defects hazardous to your device.

CodeSonar’s analysis tracks potentially hazardous input data, to further mitigate risks from third-party and open-source code. With binary analysis, CodeSonar can identify potential exploitable data flows within an application, or between the application and libraries and drivers - so you can track potentially tainted inputs not just throughout your own code but also into or out from something you’re not writing but is critical to your potential functional flow (such as the many users of openssl discovered when the Heartbleed vulnerability was brought to light). Results of this analysis can be superimposed on a high-level graphical visualisation of the architecture of the whole system, to allow engineers to see those notoriously hard-to-find tainted data pathways.

By analysing the machine code, teams can find anomalies that may not exist in source, created by unexpected build optimisations or through backdoors created by the build tool chain.

CodeSonar’s binary analysis support will be available in Q2 2016, supporting static analysis for Intel x86 and x64 as well as ARM (including support for Thumb mode).