Managing Third-Party Code Security and Quality with Binary AnalysisMarch 1, 2017 Tweet
According to VDC Research, 45% of embedded projects involve outsourcing product development. The use of outsourced and open source code, commercial software (COTS), legacy source, and binary code is increasing each year (e.g. VDC claims that embedded Linux will be the embedded operating system of choice for 64.7% of all embedded shipments by 2017). Although commonplace today, third party software becomes a software supply chain that is often ignored. Part of the reason is the lack of sufficient technology to analyze and understand the impact of this software on the overall quality and security of the finished products.
Of course, quality has been the paramount concern, but security is becoming equally important. With this increased risk from outside (and inside, legacy) software sources, it's important to leverage technologies developed to analyze and fix vulnerabilities in software. Static analysis can now provide insight into third-party code, even in binary form, lending a great aid to supply chain risk management.
- Eliminating Vulnerabilities in Third-Party Code with Binary Analysis
- Outsourced Code Development Driving Automated Test Tool Market
- Security Assurance for IoT Devices - Assessing third party code
Reuse is Good
Reinventing the wheel has never been productive. Buying versus building often favors re-use, whether through open source or COTS solutions. Projects are rarely greenfield developments, so legacy code and reusing other corporate assets are a reality. Some common uses include enabling an application to communicate via the Internet or wirelessly with other applications, to manage, optimize, monitor, and back-up databases and standard libraries that include definitions for commonly used algorithms, data structures, and mechanisms for input and output.
With the benefits of re-use, there is the risk of security vulnerabilities hiding in the code. Your end customer is going to hold your company responsible for the product regardless of where your source comes from! Evaluating the quality and security of existing source and binaries (libraries, object files, executables, and dynamic link libraries) is a particular strength of static analysis tools.
Security as a New Risk Factor
Security has become an increasingly important consideration when reusing in-house code, COTS, or open source software. Security design, coding, and testing often falls outside the expertise of managers and developers in embedded software, since it requires a unique set of skills. In addition, security is rarely top-of-mind when managing third-party code, which could be operating systems, libraries, or open source software. Evaluating these outside sources of software is time-consuming and costly. Automated tools such as static analysis can alleviate this.
Static Analysis for Assessing Third Party Code
Static analysis tools provide quality and security assessments of code without extensive hands-on testing or understanding of the code or source. Security vulnerabilities and serious bugs can be detected and analyzed for cause and effect. Detailed reports can be sent to software vendors or internal teams for reparation.
Of course, static analysis tools should also become part of the regular development cycle on newly-developed code as well. Combining the analyses from various sources provides a barometer of product quality and security. Unique binary code analysis technology from GrammaTech gives organizations insight into binary code from third parties, a great addition to a quality assurance toolset.
Binary Code Analysis
GrammaTech's binary analysis technology is built into CodeSonar. It can evaluate object and library files for quality and security vulnerabilities, augmenting static source code analysis by detecting tool-chain induced errors and vulnerabilities. It can also be used to evaluate the correct use of library functions from the calling source into a binary object, making the combination of source and binary analysis a very powerful tool indeed.
Although the possibility of investigating and fixing issues found in third-party code is often limited, binary analysis does provide a bellwether of the quality and security of the code. Customers of commercial off-the-shelf (COTS) products can go back to technical support of the vendor and ask for confirmation and analysis of the discovered vulnerabilities. The key here is that the product vulnerability is better understood -- third-party software with a large number of security issues found using binary analysis must be dealt with appropriately either internally or through negotiation with a software vendor.
Binary and Source Hybrid Analysis
Binary analysis really shines when used in a hybrid fashion with source analysis. Source static analysis has much more information about the intent and design of the software than binary analysis. However, whenever an external library is called, including standard C/C++ libraries, static analysis can't tell if the use of the function is correct or not (assumptions are made, of course, for well known functions like strcpy() ). By combining source and binary analysis, a more complete analysis is possible. For example, if an external function takes a pointer to a buffer and a buffer overflow is possible with misused parameters, hybrid static analysis can detect this problem.
Software development success depends on smart decision making, including build-versus-buy decisions for software. Bringing in outside source and binary code has its risks, and proper management of risk in terms of safety and security is required in order to bring a product to market. Combined with source-based static analysis, binary code analysis technology provides a practical way to assess third-party binaries and libraries. To make good on the benefits of software re-use while managing software supply chain risks, static analysis reduces the risk and cost of leveraging existing software.