Title :
Static analysis of machine code for supply-chain risk management
Author :
Anderson, Patrick ; Loginov, Alexey
Author_Institution :
GrammaTech, Inc., Ithaca, NY, USA
Abstract :
This paper discusses the product-oriented approach to software supply-chain risk management: a determination of the trustworthiness of software applications, or the relative trustworthiness among a set of software applications, based on automated analysis and inspection of their actual binary machine codes. The system, named CodeSonar™ for binaries, is a static-analysis tool that can find security vulnerabilities in stripped and optimized executables. It is built as an extension to a successful product for analyzing source code, so it is also capable of analyzing source and machine code simultaneously. It can find defects such as buffer overruns, null pointer dereferences, resource leaks, and uninitialized variables.
Keywords :
program diagnostics; risk management; software development management; supply chain management; trusted computing; CodeSonar system; binary machine codes; buffer overruns; machine code; null pointer dereferences; product-oriented approach; relative trustworthiness; resource leaks; security vulnerabilities; software applications; software supply-chain risk management; source code analysis; static analysis tool; trustworthiness determination; uninitialized variables; Abstracts; Libraries; Optimizing compilers; Organizations; Risk management; Security; machine code; security vulnerabilities; static analysis; supply-chain risk management;
Conference_Titel :
Technologies for Homeland Security (HST), 2013 IEEE International Conference on
Conference_Location :
Waltham, MA
Print_ISBN :
978-1-4799-3963-3
DOI :
10.1109/THS.2013.6699090
