In my last post, I talked about extending the term software forensics to include any investigation of software, whether to detect crime, or for example, investigate a safety incident or track down a security breach. In this post, I’m concentrating on the use of automated binary code analysis to assist in malware detection as part of a software forensic investigation. Traditionally, labor-intensive manual binary analysis has been used, so the opportunity to add automated tools like CodeSonar to the process greatly improves productivity and detection success.
- GrammaTech CodeSonar Binary Code Analysis
- Eliminating Vulnerabilities in Third-Party Code
- Cyber-Security Analyses
Broadly speaking, software forensics covers a wide range of possible investigative techniques (e.g. data file analysis), which aren't covered here. In this post, I will specifically cover the detection of defects, malware, or other security vulnerabilities in binary code, as part of an investigation into a significant incident.
Traditionally, forensics investigation into binary code is tedious and time consuming and requires significant technical experience in both the hardware platform (target system and CPU architecture) and the software application. Performing these analyses on embedded targets is especially difficult given the broad hardware and software environment. Automation is needed for better detection rates and increased productivity. A similar case can be made for source code analysis, perhaps a topic for another post!
Applying Static Analysis to Detect Defects and Malware
GrammaTech has discussed at length the application of static analysis for detecting and analyzing security vulnerabilities. Effectively, malware is detected via tainted data analysis in combination with detected vulnerabilities. Previous posts covered tainted data analysis, security vulnerabilities, and binary analysis. To summarize, advanced static analysis tools can automatically detect security vulnerabilities in code. In addition, tainted data analysis can determine if outside input can be used to manipulate a vulnerability into a full-fledged security threat. CodeSonar’s unique binary analysis has the same detection and tracing capabilities as the source-based product and integrates with IDA Pro, one of the leading software forensic tools.
Automated Binary Code Analysis for Software Forensics
Automating something that is otherwise a painstaking and difficult job of manually reverse-engineering binary code, advanced static analysis provides many benefits, including the following:
- Improved detection: Automated static analysis can detect errors and vulnerabilities in any size binary executable or library object file, even across multiple compilation units and/or functions. The same analysis by manual approaches are difficult and often limited to pre-determined parts of the binary code. Although automated analysis may not entirely replace manual approaches, it certainly increases the detection rate and scope of analysis.
- Better tracing: One of the most difficult aspects of manual forensic investigation is tracing control and data flow, which is exacerbated with binary-only code. Advanced static analysis performs control and data flow analysis on the entire scope of the application. This larger scope of analysis improves detection but also reduces false positives (errors reported that turn out to be false), and aids tainted data analysis. CodeSonar also provides a sophisticated web user interface to significantly help with investigating errors.
- Investigation efficiency: Automated vulnerability detection, tracing, and reporting greatly increase the efficiency of binary code investigation. Software forensic investigators can rely on CodeSonar's binary analysis technology to find vulnerabilities in the entire application, while their manual investigation may be focused on certain areas of the code. Considering the cost of manual binary code reverse-engineering and investigation, CodeSonar provides very good return on investment.
- Reporting to support evidence gathering: Comprehensive error reporting, code visualization, and integration with vulnerability management systems are crucial to supporting a software security forensic investigation. Automating parts of the investigation-reporting means saving time and reducing errors.
- Hybrid source and binary analysis: Although this post has concentrated on binary code analysis, source code analysis is also critical if the source is available. For example, a disgruntled employee may have left malware in source code “hiding in plain sight.” Source code analysis shares the same features and benefits as binary analysis, and CodeSonar can report on both source and binary results in the same project.
Automated static binary code analysis provides great benefits to software forensic investigation. By increasing the scope, accuracy, and depth of the software analysis, CodeSonar can save countless hours of manual binary code reverse-engineering. With clear benefits in terms of security vulnerability detection and evidence gathering, binary analysis is a key tool for software forensics.