[Updated: Aug. 22] — Insignary unveiled TruthIsIntheBinary, a free, cloud-based version of its Clarity binary code scanning software aimed at open source Linux IoT code.

Normally, we gizmo-heads shy away from security software, but Insignary’s latest offering pushed all our buttons: Linux, free, open source, and “IoT security ticking time-bomb.” We were also slapped silly by the oracular sounding name: TruthIsIntheBinary.

Maybe we should be scared: This Linux-based IoT security problem is getting serious. There are numerous solutions, starting with keeping updated mobile device firmware rolling out via OTA, but there hasn’t been a mad rush to fix the security problem relative to Linux-based embedded and IoT devices. Korea-based Insignary cites a PwC report stating that only 35 percent of approximately 9,700 companies polled said they had an IoT security strategy in place, and only 28 percent saod they have begun implementing added security needed to guard against the risk of a cyberattack created by IoT networks.

Unpacking and analyzing files in Clarity. Presumably, the Clarity-based TruthIsIntheBinary uses a similar approach.
(click image to enlarge)

TruthIsIntheBinary offers a security scan that has a few advantages over most: it’s free, and it’s aimed directly at open source Linux IoT projects. Based on Insignary Clarity binary code scanning software-as-a-service, this free, cloud-only version lets users “quickly and easily” scan open source software used in embedded applications and IoT devices, says Insignary. TruthIsIntheBinary can identify SambaCry, Devil’s Ivy, Heartbleed, Ghost and Venom, among more than 91,000 known security vulnerabilities, claims the company.

Developers can upload just about any uncompressed binary file to the site that weighs in at under 5MB, including smart phone apps. Within a few minutes, the service returns a report that includes the number of potential security issues and their level of severity. Users who want a more detailed report can sign up for Clarity.

Since we’re far from being security experts, we consulted embedded Linux and security expert Bill Weinberg, who in the past has helped us out on issues such as the netbook wars. Weinberg, who recently cofounded a new consulting group called Open Source Sense with Greg Olson, said the underlying Clarity software is a Binary Analysis Tool (BAT). Like many other BAT packages, Clarity, but apparently not TruthIsIntheBinary, can also identify common associated compliance issues in addition to security problems.

The software also offers a “unique fingerprinting technology,” that uses “symbol and string table comparisons,” says Insignary. In addition, it cross references to NVDB (National Vulnerability Database), and offers access to VulnDB. Clarity can be considered a type of “component analysis” platform, somewhat similar to what is provided by Black Duck, Flexera, Fossa, Fossid, and WhiteSource. Insignary CEO Mahnjoon Jang was formerly CFO of Black Duck Software.

Insignary claims that TruthIsIntheBinary is superior to checksum solutions, which are hampered by the fact that they’re only useful in “situations where there is a standard repository for binary components.” Another problem with checksums is that they change if the same file has been compiled even slightly differently,” says the company.

According to Insignary, “third-party software that OEMs and developers purchase for their IoT applications is distributed in binary format without the source code, making it extremely difficult to identify any potential security vulnerabilities.”

Still, some developers may not feel comfortable uploading their software to the cloud. Upgrading to Clarity lets you choose either a cloud or on-premise solution.

 
Further information

TruthIsIntheBinary is available at no cost for uncompressed binary files that are less than 5MB in size. More information may be found on Insignary’s website.