Demystifying Binary Static Analysis

Last Wednesday I was honored to be able to present a talk on Binary Static Analysis to an Intro to Security class at Tufts University. The instructor, Ming Chow, approached me to speak to his class as he likes to bring in security practioners who are delivering security to their customers. There does seem to be some mystery still to static binary analysis even though Veracode has been delivering this application security testing process to hundreds of customers with tens of thousands of applications for almost 5 years now. One of my goals in this presentation is to make it clear that there is nothing source code analysis can do that binary analysis can’t. Binary analysis even has benefits over source code analysis. It may seem counter-intuitive so you will want to see the presentation. The students at Tufts asked about 20 questions after my presentation. They were the best questions I have ever gotten from a group. There were only a couple that I hadn’t fielded before but I had never had so much coverage of interesting questions that I had received before from one group. There was one I struggled with about our control flow optimization. I almost deferred to Sam Guyer, a Tufts professor who also works for Veracode who was in the audience but I think I answered it well enough. The question was apt as there is always a depth of analysis tradeoff when dealing with large programs. It was a very pleasurable talk and I was impressed by the students at Tufts. I hope you go into app sec. We can use you!