Static analysis of machine code for supply-chain risk management

Author

Anderson, Patrick ; Loginov, Alexey

Author_Institution

GrammaTech, Inc., Ithaca, NY, USA

fYear

2013

fDate

12-14 Nov. 2013

Firstpage

704

Lastpage

709

Abstract

This paper discusses the product-oriented approach to software supply-chain risk management: a determination of the trustworthiness of software applications, or the relative trustworthiness among a set of software applications, based on automated analysis and inspection of their actual binary machine codes. The system, named CodeSonar™ for binaries, is a static-analysis tool that can find security vulnerabilities in stripped and optimized executables. It is built as an extension to a successful product for analyzing source code, so it is also capable of analyzing source and machine code simultaneously. It can find defects such as buffer overruns, null pointer dereferences, resource leaks, and uninitialized variables.

Keywords

program diagnostics; risk management; software development management; supply chain management; trusted computing; CodeSonar system; binary machine codes; buffer overruns; machine code; null pointer dereferences; product-oriented approach; relative trustworthiness; resource leaks; security vulnerabilities; software applications; software supply-chain risk management; source code analysis; static analysis tool; trustworthiness determination; uninitialized variables; Abstracts; Libraries; Optimizing compilers; Organizations; Risk management; Security; machine code; security vulnerabilities; static analysis; supply-chain risk management;

fLanguage

English

Publisher

ieee

Conference_Titel

Technologies for Homeland Security (HST), 2013 IEEE International Conference on

Conference_Location

Waltham, MA

Print_ISBN

978-1-4799-3963-3

Type

conf

DOI

10.1109/THS.2013.6699090

Filename

6699090