At Embedded World this week, GrammaTech, Inc. revealed to developers there its newest addition to the company's CodeSonar static code analyzer – what it claims is the industry's first visual taint analysis technology.
According to Dr. Paul Anderson, GrammaTech VP of Engineering, the new tool combines advanced tainted dataflow analyses with GrammaTech's proprietary visualization engine , to clearly display notoriously hard-to-find tainted data pathways in embedded systems.
“By accelerating the speed and accuracy of embedded development teams to trace these flows,” he said, “this technology will help eliminate dangerous vulnerabilities such as buffer overruns that can be exploited by an attacker to inject code.”
GrammaTech's visual taint analysis tracks potentially hazardous data flows in C/C++ applications that are too complicated for developers to reliably find manually. When identified, CodeSonar records the paths the data can take through the application that can then cause unexpected or insecure program behavior.
He said that unlike other tools that provide simple warnings for tainted values, the company's proprietary visualization engine presents vulnerabilities to developers in a more actionable and auditable interface.
“Tainted data vulnerabilities are notoriously difficult for developers to find because applications often use code from different sources, which creates unexpected attack surfaces that malicious hackers can exploit,” said Anderson. “The combination of sophisticated tainted data analysis with the visualization engine greatly simplifies and accelerates developers' ability to defend embedded systems against the growing threat of software's most sophisticated security exploits.”
By showing the tainted flows in the visualization tool, and by overlaying taint markers on renderings of source code, he said developers benefit by being able to see the effect of hazardous inputs on the behavior of their code.