Running any third-party software requires you to have trust in the software supplier not to have added any hidden functionality that could endanger your business, or delivered a product full of systematic weaknesses that an attacker can exploit. Especially when dealing with software that uses cryptographic algorithms it is important to check whether there are no such hidden weaknesses.
Techniques like penetration testing, fuzzing, and others (that AIT also is offering) help you to reduce your risks, however, to gain the highest level of confidence in the software, you have to invest in manual analysis. This is an expensive and time-consuming process, often carried out on the machine code level, as the source code of the software usually is not available. AIT’s Machine-Code Analyzer is a tool helping you with this analysis, as it is able to point out program-locations in need of further inspection and program-locations without this need.
AIT’s Machine Code Analyzer takes an application and a set of machine-readable requirements as inputs. It then runs the application and watches the execution. It will look at the dataflow inside the application, at the use of memory locations, and generally monitor the control flow coverage and check whether the application meets the requirements specified. This way it can point out potentially unsafe instructions, information leaks, and other critical issues.
In addition to this, the tool will automatically create new program inputs so that the next run of the application will go down paths in the control flow graph that have never been taken before. This way, the tool is able to discover functionality hidden in the application, triggered with special inputs only.