Binary Code and Binary Analysis

Some binary analysis tools work in a manner similar to package manager inspectors, which basically read a file’s “table of contents” to find out what’s inside. This basic analysis may suffice in some cases, but advanced binary analysis tools can model data types, flows, and control paths, without the need to reverse-engineer. 

Using this model, advanced binary analysis tools can look deeper to identify known software components and detect security flaw patterns. These discoveries can then be used to compile security and usage reports, along with advice on how to address any issues in the code. 

Source code isn't always available for analysis. For example, some companies purchase firmware to integrate with the hardware in their products, and the firmware is in binary format. Another example is software companies that leverage third-party code and libraries, such as frameworks, containers, GUIs, and databases, to augment their proprietary code, and these libraries often contain no source code. Whatever the case may be, it’s still important that the consumers of these binary files understand what’s inside them.

Binary analysis solutions enable organizations to inspect binary code without any involvement from the vendor, to identify open source components, security vulnerabilities, license obligations, and additional sensitive information that could lead to a breach.

Synopsys Black Duck® is an automated software composition analysis (SCA) tool that enables organizations to gain visibility into the composition of software, so they can make better buying decisions and manage the ongoing risk of operating complex systems and software, regardless of source code access. Black Duck Binary Analysis identifies open source components in compiled software to provide an open source Bill of Materials and a list of any vulnerabilities and licenses related to those components.

Black Duck also recognizes compiler switches, mobile permissions, and other forms of information leakage that could potentially expose sensitive information. Furthermore, Black Duck goes beyond simply detecting these issues; hand-crafted security advisories provide detailed notifications for each vulnerability identified, giving users the information needed to properly understand, prioritize, and remediate the problem.

Organizations can also leverage Synopsys’ comprehensive set of static application security testing (SAST) solutions, as well as static analysis professional services that can help organizations find vulnerabilities in their applications without access to source code. Since static testing solutions based on binary analysis rely on modeled datatypes, data, and control paths, manual inspection of the findings can help improve the efficacy of such binary analysis. This helps eliminate noise and false positives during the assessment, making it easier to discover vulnerabilities and get actionable remediation guidance.