/mar 12, 2012

Demystifying Binary Static Analysis

By Chris Wysopal

Last Wednesday I was honored to be able to present a talk on Binary Static Analysis to an Intro to Security class at Tufts University. The instructor, Ming Chow, approached me to speak to his class as he likes to bring in security practioners who are delivering security to their customers. There does seem to be some mystery still to static binary analysis even though Veracode has been delivering this application security testing process to hundreds of customers with tens of thousands of applications for almost 5 years now. One of my goals in this presentation is to make it clear that there is nothing source code analysis can do that binary analysis can’t. Binary analysis even has benefits over source code analysis. It may seem counter-intuitive so you will want to see the presentation. The students at Tufts asked about 20 questions after my presentation. They were the best questions I have ever gotten from a group. There were only a couple that I hadn’t fielded before but I had never had so much coverage of interesting questions that I had received before from one group. There was one I struggled with about our control flow optimization. I almost deferred to Sam Guyer, a Tufts professor who also works for Veracode who was in the audience but I think I answered it well enough. The question was apt as there is always a depth of analysis tradeoff when dealing with large programs. It was a very pleasurable talk and I was impressed by the students at Tufts. I hope you go into app sec. We can use you!

Related Posts

By Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.