Software Supply Chain Identification for Compiled Binary Executables

Computing systems contain increasing and changing software applications from a wide variety of vendors and sources. These applications contain numerous libraries for them to function, which are often not known to the end-user and considered a black box. When these libraries or their dependencies are discovered to have a vulnerability, the end-user relies exclusively on the software publisher to recognize the vulnerability, potentially leaving a time-gap where the vulnerability can be exploited before the publisher notifies affected end-users of the issue. This use-case is magnified when the publisher no longer maintains a piece of software. Current market capabilities lack the sophisticated detection techniques that are needed by the homeland security enterprise (HSE) to protect critical cybersecurity missions from vulnerable and embedded software libraries. In this Phase II project, Oceanit will develop a powerful tool that can detect and report embedded software library information in compiled Windows 64-bit binaries.