GrammaTech, Inc. has just made available the latest version of its CodeSonar 4.1 code analysis tool for C/C++, Java, and binaries with new features that enhance its capabilities in a wide range of embedded Internet of Things applications.
According to Paul Anderson, vice president of engineering at GrammaTech, the new features include new distributed analysis capabilities, deeper tainted data analysis as well as binary analysis support for x64 processors. “Combined, these advances will help developers build more stable and secure code in the Internet of Things (IoT) era,” he said, “where a growing number of embedded software systems are networked enabled in sometimes unpredictable and often unsecure ways.”
He said GrammaTech has substantially increased the precision of its taint analysis capabilities, which includes new tainted buffer access and indirect function call checkers, which is is invaluable in discovering serious security vulnerabilities such as the recent Heartbleed bug. .
Another caspability, made possible by the company's research funded by the Department of Homeland Security, is the ability in Version 4.1 to distribute static analysis processing across a large numbers of heterogeneous machines (such as Linux, Windows, and Unix simultaneously). “This development has the potential to speed up the analysis phase in proportion to the number of processors in the analysis pool, and gives developers the flexibility to turn up the depth of their analysis to find more critical defects,” he said.
The company has also extended its support for binary code analysis to include the ability to analyze 64-bit Intel microprocessor code. “The rapid rise of third-party code has brought efficiency to development teams, but third-party binaries must also be rigorously tested if they are to stand up to security and quality standards,” said Anderson. ” As the pressures and liabilities of software supply chain management (SSCM) continues to increase, embedded teams must investigate both source code and binaries to ensure consumer safety.”
He said analyzing binary code alongside source code with CodeSonar has been shown to find 40% more defects than when source code alone was analyzed. (Programs tested were a mix of 75% source and 25% binary code.)