MoSRA: Modular Software Risk Assessment

The objective of the solicitation is to develop a commercial capability and product to analyze compiled binary executables of Windows applications, that can detect and report embedded software library information in multi-faceted software packages. The libraries are shared, for example as Windows .dll files, or are directly linked into static binaries, and are not available as source code. Normally, the binary is also stripped, all symbol information is removed. This means that software users in most cases do not know on which libraries (including version information) their applications are based on. We propose a product for supply chain risk management and provenance of binary applications. It shall process binary applications and the libraries they use, shall generate similarity graphs and reports of libraries. Our technical approach is based on a binary similarities analysis between pairs of functions, using a graph database. First of all, we split the binary to analyze into individual functions, and then calculate, in an optimized way, a similarity index between pairs of the functions in the binary and functions we already have in the graph database, from previous analysis.The similarity indices are stored the database, and as result we now can calculate full software provenance graphs of the analyzed binaries and libraries, including version history graphs of the individual libraries. The graphs are visualized, for example the libraries used by an application can be shown, and reports of applications and referenced libraries are generated.