Webinar Thursday, November 12: Achieving Industrial Functional Safety with IAR and GrammaTech Register Now

Binary Software Composition Analysis

Securing the Modern Software Stack

 

Do you integrate third party software into your applications or products?

Do you know if KNOWN vulnerabilities exist in this third party software?

To improve time to market and cost constraints, software development organizations turn to third party software to augment their custom development. In fact, at least 90% of corporations use third party software and 95% of proprietary or custom software applications they create contain third party components. Today’s software stack includes open source software, as well as purchased software either developed specifically for an application or commercially available software (COTS).  This purchased software often contains open source components unknown to the organization since it is delivered in binary form.


Third-party software is here to stay - however at least 42% of applications contain components with a known, high risk security vulnerability1. Software reuse provides productivity improvements that organizations rely on, but they do so at significant risk.

To complement the custom application or product development component, modern day software development programs utilize many different sources to minimize the time to market and augment skill or capabilities they may not have.  There are three main sources of this third party software:

  • Open Source Software (OSS) – Software that uses an open development process and is licensed to include the source code.
  • Commercially off-the-shelf software (COTS) – software purchased from a vendor. These are often purchased without a need for customization. If open source is used in this software, it is likely unknow to the licensee. Delivered in binary form.
  • Contracted software: Software delivered for a particular application or set of applications typically from contracted vendors working from a specification. Open source usage may or may not be disclosed upon delivery. Also delivered in binary form

To understand the entire threat spectrum, organizations need to inventory and resolve all the known open source vulnerabilities in the entire stack, including those from the open source software.  The software stack is represented below:

 

GrammaTech SCA

Binary Software Component Analysis (SCA) is more reliable than traditional source based SCA. It analyzes the actual code that will run, not the build environment. This significantly reduces false positives due to superfluous code in the build environment as well as components that are excluded due to build configurations and in many cases, source is simply not available.

 

CodeSentry

Binary Software Composition Analysis:

GrammaTech CodeSentry

CodeSentry is derived from GrammaTech’s ground-breaking binary code analysis research. This technology achieves deep scalable analysis without the need for source code and is suitable for enterprise wide adoption.  Binary analysis is both efficient and less error prone than conventional SCA tools and due to CodeSentry’s high precision and recall results in less missed vulnerabilities and less false positives. The key advantage of CodeSentry is the ability to interrogate – at the binary level - both open source software and the third-party software that is now so commonly used. Read more...

Recent Vulnerability Examples

 

Ripple20 is a set of 19 vulnerabilities in the Treck TCP/IP stack with four vulnerabilities rated critical with CVSS scores over 9 and enable Remote Code Execution. These vulnerabilities impact devices from a wide variety of vendors, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter and many more across medical, industrial, transportation, oil & gas and other industries.

Urgent/11 is a set of vulnerabilities in the IPNet stack originally developed by Interpeak AB. Six of these vulnerabilities are critical and enable Remote Code Execution. It impacts real-time operating systems from ENEA, Green Hills, Microsoft, Mentor and Wind River, impacting possibly billions of devices in medical, industrial, automotive, aerospace and defense industries.

The famous Heartbleed Bug reported as CVE-2014-0160 is a serious vulnerability in the OpenSSL cryptographic software library. While many systems have been patched, there are still vulnerable systems out in the wild. The impact of the heartbleed bug is significant as it can easily be used by to leak confidential information over unprotected network connections.

Source SCA vs Binary SCA

 

CodeSentry Data Sheet

Download Datasheet

Quality software. Quality devices. Increased profits.

Begin Your Free Evaluation