15 June 2016
GrammaTech CodeSonar® Binary AnalysisCodeSonar is the first and only commercial-available tool, that offers a binary analysis on the market. Compared with conventional binary analysis services, CodeSonar doesn´t need a upload for the analysis of the code. It can be employed on-site, which allows customers to keep their software securely in their own hands.
CodeSonar offers two forms of binary analysis: a standalone and integrated analysis with CodeSonar´s source code engine. The integrated binary analysis, known as Mixed Mode, is perfect for customers concerned about the robustness and security of their own software. Also, third-party software, for which source-code-level analysis is either unavailable or insufficient for the level of confidence needed, can be checked.
Analyze Libraries with Mixed ModeThe unique Mixed Mode of CodeSonar, which integrates the binary analysis technology with code analysis technology, allows to analyzing third-party libraries and your own code simultaneously.
- Review of your own code:
CodeSonar finds defects in your own code, caused by misuse of libraries. This defects might occur because the documentation is not always explicit and maybe cases that the third-party library handles differently than expected.
- Review of own libraries:
CodeSonar finds defects in the libraries themselves, which manifest in use. For instance, you might call their API with a particular value that should work, but this process sometimes causes a memory leak.
- Review of third-party libraries:
CodeSonar performs an audit of the third-party library to make sure it doesn´t have important defects.
Defects in Third-Party CodeAccording to VDC Research, the majority of embedded software is developed by external sources. Some of this software is open-source, but nearly 30% of code is commercial software without readily available sources.
Because of GrammaTech´s binary analysis technology doesn´t rely on symbolic-table or debugging information, it examines stripped binary executables that third-party software vendors ship. The technology of CodeSonar enables you to perform a security audit on software without any cooperation from the vendor.
Find and Fix BugsMachine code is well known to be complicated, subtle, and difficult to understand. Without sufficient help from an automated tool, finding flaws can be time-consuming. CodeSonar supports engineers by providing English explanations about the particular point of a detected error.
The provided code visualization features provide an unique advantage for understanding where vulnerabilities exist. Multiple viewing options visualize metrics, defects, and sources of input date. So you can quickly gain an understanding of the code on a high level.
Sample CodeSonar Checks for Binary Code:
- Buffer Overrun
- Command Injection
- Data Race
- Division by Zero
- Double Free
- Free Non-Heap Variable
- Free Null Pointer
- File System Race
- Format Stringer
- Integer Overflow
- Null Pointer Dereference
- Resource Leak
- Shift Amounts Exceeds
- Unreasonable Size
- Use After Close/Free
- User-Defined Checks
- Use of Vulnerable Functions
- Many more...
CodeSonar 4 for Embedded Systems
CodeSonar for C/C++ (PDF, 1.5 MB)
CodeSonar for Java (PDF, 1.1 MB)
Automate the Verification of Your Code
CodeSonar for Java
Compliant to standards
CWE- and BSI-regulations
"Power of Ten" and JPL-regulations
How Static Code Analysis works