Software tool analyses binary & source code to find 40% more defects
GrammaTech has announced the availability of CodeSonar 4.1, the latest version of the company’s industry-leading software analysis tool for C/C++, Java, and binaries. Built to deliver unmatched depth of analysis, the latest version of CodeSonar includes distributed analysis capabilities, deeper tainted data analysis, and binary analysis support for x64 processors.
Combined, these advances will help developers build more stable and secure code in the IoT era, where a growing number of embedded software systems are networked enabled in sometimes unpredictable and often unsecure ways.
CodeSonar is suitable for zero-defect tolerance embedded environments, because it analyses both source and binary code to identify serious security and quality liabilities that cause system crashes, memory corruption, data races, and other unexpected vulnerabilities.
With its Deeper Tainted Data Analysis, Grammatech has substantially increased the precision of its taint analysis capabilities, which includes tainted buffer access and indirect function call checkers. Analysing indirect function calls more precisely is invaluable in discovering serious security vulnerabilities such as the recent Heartbleed bug.
Through research funded by the Department of Homeland Security, CodeSonar now distributes static analysis processing across a large numbers of heterogeneous machines (such as Linux, Windows, and Unix simultaneously). This development has the potential to speed up the analysis phase in proportion to the number of processors in the analysis pool, and gives developers the flexibility to turn up the depth of their analysis to find more critical defects.
As the only commercial static analysis tool with binary code analysis, the 4.1 release adds the ability to analyse 64-bit Intel MPU code. As a result, more development teams will have access to GrammaTech’s binary analysis to ensure that their third-party code meets internal security and quality standards. Analysing binary code alongside source code with CodeSonar has been shown to find 40% more defects than when source code alone was analysed (programmes tested were a mix of 75% source and 25% binary code).
The rapid rise of third-party code has brought efficiency to development teams, but third-party binaries must also be rigorously tested if they are to stand up to security and quality standards. As the pressures and liabilities of Software Supply Chain Management (SSCM) continues to increase, embedded teams must investigate both source code and binaries to ensure consumer safety.
“Embedded systems continue to require better protection against cyber-attacks and quality lapses,” said Paul Anderson, Vice President of Engineering, GrammaTech. “With CodeSonar 4.1’s features, developers can more easily identify bugs that are buried deep within complex code bases or hidden in third-party code.”
“Time-to-market pressures, increased adoption of standards-based technology, and the rise of system complexity will continue to drive the growth of third-party binary code use in embedded engineering organisations in the coming years,” added André Girard, Senior Analyst, VDC Research. “It will be critical for these organisations to utilise effective tools, such as the combination of static and binary analysis, to avoid the introduction of quality and security issues.”