Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

[weld at vulnwatch.org (Chris Wysopal)]

Well since I am mentioned in the excerpt I will wade in.  I don't think
binary analysis and source analysis are all that different.  Both
approaches convert to an intermediate representation and then run checkers
on a model.  Source code analyzers use compiler technology to get to the
IR and binary analyzers use decompiler technology.  I would like to point
out that the binary doesn't need to be machine code, it can be java byte
code or .Net's MSIL.  Findbugs and FxCop operate on binaries so the
approach is not all new.

The big benefit I see to using binary analysis on machine code is modern
development teams don't write a whole program from scratch.  They often
link in a lot of binary code in the form of static and dynamic libraries.
These are either in house shared components, 3rd party libraries, or
libraries from platform providers.  This code can have vulnerabilities
themselves or cause vulnerabilities in the way they interact with the
code the development team has written.

Now some may be asking what happens when you find a vulnerability through
binary analysis?  How do you fix it?  The answer is to use debug symbols
to find the source file and line number associated with the binary offset
of the problem.  Yes, you may not have the symbols for a binary component
you link but once you know where and what the problem is you can often
work around it in your code.  I think binary analysis gives you more
information to use to secure software.

Of course design reviews are important for many programs.  Static analysis
is just one piece to the SDLC.  Good software requires good design and
good quality assurance.  Same goes for secure software.  It requires
secure design and secure testing.  That is where I see binary analysis
fitting in.

-Chris

On Mon, 22 Jan 2007, Kenneth Van Wyk wrote:

> Ok, last software security news item for today, I promise.  :-)  This
> article (see
> http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1)
> is about a couple of new startup companies.  One of them in
> particular, Veracode, may be of some interest here.  The article
> says, "Veracode, founded by Chris Wysopal and other former executives
> of @stake, is now offering patented binary-code analysis of software
> for enterprises that want to analyze their software's security on a
> regular basis. The ASP will also offer security reviews of enterprise
> products and security analysis of third-party apps for software
> developers."
>
> The article also provides some counterpoints, including some from
> Gary McGraw, that are worth reading.  Among other things, Gary says,
> "However, if you want real security analysis you have to go past the
> binary, past the source code, and actually consider the design."
>
> Opinions on binary vs. source code (and design!) analysis, anyone?
>
> Cheers,
>
> Ken
> -----
> Kenneth R. van Wyk
> SC-L Moderator
> KRvW Associates, LLC
> http://www.KRvW.com