Download Printable PDF

Programmable Interfaces for Advanced Static Analysis

The security and prosperity of the nation are increasingly dependent on information systems. They are critical to the operation of our civil infrastructures, as well as the armed services. The need to ensure the security of these systems is of paramount importance.

Software security is compromised by both deliberate and inadvertent acts. Malicious code is code that has been intentionally added to or changed in a software system to cause harm or to subvert the intended function of the system. Examples of malicious code include time bombs, viruses, worms, and backdoors. Bugs are the unintended result of innocent human frailty, unsafe programming languages, and inadequate tool support—but bugs lead to exploitable vulnerabilities. Once an adversary has discovered an exploitable bug, its potential for harm is as great as malicious code inserted by insider attack. Indeed, malicious code is often disguised to look like a run-of-the-mill bug to cover the tracks of the perpetrator.

Using advanced static analysis offers the potential to find both bugs and security vulnerabilities in code. GrammaTech’s system, named CodeSurfer, is being applied to solving these problems. For example, the University of Wisconsin is using CodeSurfer in its Critical Infrastructure Protection, Adaptable Software (CIP/SW) University Research Initiative (URI) project, “Vulnerability and Information Flow Analysis for COTS”. In this Office of Naval Research-sponsored CIP/SW project, Wisconsin is using CodeSurfer to develop techniques for detecting vulnerabilities in both C source code and x86 machine code (COTS binaries).

To facilitate software engineering and security applications like the Wisconsin work, GrammaTech is creating a premier toolkit for static program analysis. Under an Office of Naval Research (ONR) contract, we are building mechanisms and interfaces to support a language-independent, iterative, and programmable approach to the organization of static program analyses and transformations of intermediate representations. With the API, users of the system will be able to program their own custom static analyses. The architecture is very flexible; user code will access the API in whatever iteration scheme is most suitable for the application, be it code inspection, code understanding, bug detection, malicious-code detection, or another application.


Free Trial | Products | Customers | Support | News | Jobs | About Us         © 2007-2008, GrammaTech, Inc. All rights reserved.