IN THE NEWS
GrammaTech has been selected by the Defense Advanced Research Projects Agency (DARPA) to leverage its binary analysis innovations in the agency’s high-profile VET program.
The VET program seeks to help U.S. government agencies address the threat of malicious code in phones, routers, computers, and other networked devices. Under the VET program, GrammaTech is developing tools that will leverage machine code analysis in order to examine the software and firmware used in these IT devices. This new technology will be able to confirm the absence of broad classes of vulnerabilities in the IT devices with absolute certainty.
CodeSonar is the first commercially-available static analysis product with the capability to analyze binary machine code and stripped executables. It is also the most aggressive binary analysis technology available. Now you can find vulnerabilities in software even if you don't have access to the source code.
Because GrammaTech’s binary analysis technology doesn’t rely on debug or symbol-table information, it can examine the stripped binary executables that third-party software vendors typically ship. With this capability, the technology enables you to perform a security audit on software without any cooperation from the vendor.
Take Charge of Supply Chain Risk Management (SCRM)
Software users need to be able to trust the products they are using, and software producers need to be able to trust the components they incorporate into their solutions. Achieving this trust is difficult because nearly every organization relies heavily on software developed elsewhere. Supply Chain Risk Management (SCRM) is required to assess software and build trust. SCRM approaches include:
Example buffer overrun detected by CodeSonar's binary analysis.
1. Examining the origin of software and processes used to develop it.
2. Examining the software product directly.
GrammaTech focuses on the second approach. Our static analysis technology examines both source code and binaries for vulnerabilities. Binary analysis, in particular, is a highly effective weapon against threats. It sidesteps trusting the development tools and process, and it is also effective against insider threat.
Analyze Third-Party Code
According to VDC Research, the majority of software that runs embedded devices is now developed by external sources, not in-house development teams. Some of this is open-source, but nearly 30% of code is third-party commercial software, so the source is often unavailable.
Because third-party software is commonly delivered only in executable form, it can’t be examined with commercially available static source code analysis tools. Without access to the source code, these tools cannot fully account for the security consequences of executing the third-party code in the application. By combining CodeSonar with advanced binary analysis capabilities, GrammaTech is providing developers with the power to inspect and evaluate this third-party software, all while reaping the benefits of CodeSonar’s advanced workflow options and management tools.
The binary analysis infrastructure in CodeSonar is the result of more than a decade of research, through collaboration with the University of Wisconsin and with support from the United States Navy, Air Force Research Labs (AFRL), and Defense Advanced Research Projects Agency (DARPA).
Sample CodeSonar Checks for Binary Code: