Well since I am mentioned in the excerpt I will wade in. I don't think binary analysis and source analysis are all that different. Both approaches convert to an intermediate representation and then run checkers on a model. Source code analyzers use compiler technology to get to the IR and binary analyzers use decompiler technology. I would like to point out that the binary doesn't need to be machine code, it can be java byte code or .Net's MSIL. Findbugs and FxCop operate on binaries so the approach is not all new.
The big benefit I see to using binary analysis on machine code is modern development teams don't write a whole program from scratch. They often link in a lot of binary code in the form of static and dynamic libraries. These are either in house shared components, 3rd party libraries, or libraries from platform providers. This code can have vulnerabilities themselves or cause vulnerabilities in the way they interact with the code the development team has written. Now some may be asking what happens when you find a vulnerability through binary analysis? How do you fix it? The answer is to use debug symbols to find the source file and line number associated with the binary offset of the problem. Yes, you may not have the symbols for a binary component you link but once you know where and what the problem is you can often work around it in your code. I think binary analysis gives you more information to use to secure software. Of course design reviews are important for many programs. Static analysis is just one piece to the SDLC. Good software requires good design and good quality assurance. Same goes for secure software. It requires secure design and secure testing. That is where I see binary analysis fitting in. -Chris On Mon, 22 Jan 2007, Kenneth Van Wyk wrote: > Ok, last software security news item for today, I promise. :-) This > article (see > http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1) > is about a couple of new startup companies. One of them in > particular, Veracode, may be of some interest here. The article > says, "Veracode, founded by Chris Wysopal and other former executives > of @stake, is now offering patented binary-code analysis of software > for enterprises that want to analyze their software's security on a > regular basis. The ASP will also offer security reviews of enterprise > products and security analysis of third-party apps for software > developers." > > The article also provides some counterpoints, including some from > Gary McGraw, that are worth reading. Among other things, Gary says, > "However, if you want real security analysis you have to go past the > binary, past the source code, and actually consider the design." > > Opinions on binary vs. source code (and design!) analysis, anyone? > > Cheers, > > Ken > ----- > Kenneth R. van Wyk > SC-L Moderator > KRvW Associates, LLC > http://www.KRvW.com > > > > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
