The BINSEC tool is designed to help finding potentially unknown vulnerabilities (“0day”) in a system under test, assuming an access to some (security critical) executable code to be analyzed. Inside the static vulnerability detection module of IRIS Automated Threat Analytics (ATA), this is complementary to the capabilities offered by ATOS Vulnerability Discovery Manager (VDM), which is non-intrusive on the system under analysis and can detect already known vulnerabilities (“1day”) in fragile system components through a signature-based mechanism.
Given an executable file in the system (e.g. part of the firmware) typically considered suspicious by an expert and some representative test execution over this program, BINSEC will automatically expand the test suite in order to cover more behaviors and potentially find vulnerabilities in the system under analysis (through its dedicated monitors). BINSEC will also help with IRIS risk analysis, as the detected vulnerabilities will be contain both a triggering input, a vulnerability class (e.g., control-flow violation) and a severity (typical severity associated to the vulnerability class).
This component will also provide reporting and intelligence sharing capabilities, building JSON reports with the information about the vulnerabilities identified. These vulnerabilities reports will be sent to the IRIS Advanced Threat Intelligence Orchestrator (ATIO) to be processed to trigger some incident response workflow and to be published to threat intelligence platforms such as MISP through the IRIS Collaborative Threat Intelligence Sharing. The Advanced Threat Intelligence Orchestrator will send requests for vulnerability analysis of the infrastructure monitored (executable files to analyses, initial test suites) and will receive the vulnerability reports produced by BINSEC.