GrammaTech: Securing IoT Devices through Static Analysis

Marc Brown, CMO & VP, Business Development
The IoT ecosystem is booming with a wide array of devices that are being interconnected to realize intelligent systems. The looming challenge for IoT companies is now ensuring that their software is foolproof and resilient to external threats. As data flows back and forth from various end-points across multiple devices, software defects and vulnerabilities in critical devices can cause catastrophic damage.

“We help IoT device companies improve their overall software robustness and resiliency through sophisticated source and binary static analysis,” says Marc Brown, CMO and VP of Business Development at GrammaTech.

By providing static analysis, GrammaTech solves complex issues impacting IoT development teams today, including:

• hazard information analysis, the identification of malformed data that could launch a cyber attack
• binary analysis, the analysis of libraries, firmware, middleware, and more in which source is not available but critically important for maintaining device integrity
• compliance, the validation that the source code complies with industry regulations
• concurrency analysis, the identification of resource starvation and race conditions in multi-thread and multi-core IoT application environments.

“It’s extremely difficult to find these sophisticated defects through standard functional or system testing, or other types of dynamic analysis,” says Brown. “With our mixed mode analysis technology, we help IoT companies check not just in-house developed source code, but also the binary code that they are linking with, which is otherwise a quality and security blind spot.”

GrammaTech’s CodeSonar is a Static Application Security Testing (SAST) tool that helps organizations discover potential defects that affect the quality, reliability, safety, and security of their software. CodeSonar analyzes code, looking for a wide variety of defects, including simple issues like API misuse that could cause memory defects or abnormal behavior, and more complex security vulnerabilities like SQL injections.
“We build a whole-program model which is then parsed and analyzed through a number of different cyber-security checkers that help in defending against sophisticated attacks,” explained Brown.

In addition to CodeSonar, GrammaTech is on the ground floor of important cyber-security research for the IoT era. Software hardening is important for IoT devices in improving software resiliency. GrammaTech offers and continues to research advanced software hardening techniques such as runtime monitoring, binary patching, diversification, and confinement.

Autonomic computing is an emerging field within cyber-security. GrammaTech’s autonomic computing framework is comprised of advanced reasoning technologies that detect anomalies and take affirmative actions to safeguard applications without human intervention. These capabilities were recently showcased at DARPA’s Cyber Grand Challenge, an all-machine hacking tournament.

In addition to DARPA, the company has worked with many other research partners, including Daimler, Google, NASA, and the FDA to solve the challenges of securing critical software and devices. For instance, when the FDA introduced its Infusion Pump Improvement Initiative, GrammaTech was engaged to bring in static code analysis through CodeSonar. Subsequently, the FDA found that product design and engineering flaws had resulted in adverse events of the faulty infusion pumps used in critical healthcare scenarios. The FDA now recommends its manufacturing partners to implement static analysis to detect the most critical defects and security vulnerabilities. With a need to develop flawless software, NASA also uses CodeSonar to enhance the reliability of mission-critical software, most notably, the code implemented in their Curiosity rover on Mars.

Founded by two academics to foster their R&D efforts, GrammaTech is uniquely focused on research and innovation, through its inventive technologies to tackle the challenges of increasingly complex IoT environments. Collaborating with the U.S. government, various universities, and other cyber-security-focused companies, GrammaTech is a leader in innovating tools and technologies for the IoT arena.


Ithaca, NY

Marc Brown, CMO & VP, Business Development

Provider of software-assurance tools and advanced cyber-security solutions with specialization in static analysis tools