Binary Ninja Free vs Commercial Analysis for WolfGuard

⚠️ STATUS: Reference Document Only

Evaluation Complete - Not Currently in Use

This cost-benefit analysis was completed but Binary Ninja has not been acquired. The document is preserved for future budget planning and reference.

Current Decision: Using IDA Pro 9.2 + Ghidra 11.3 instead

Revisit Date: When budget allows or project scale increases significantly

---

Document Version: 1.0 Date: 2025-10-30 Project: WolfGuard - OpenConnect VPN Server Implementation Analysis Scope: Cisco Secure Client v5.1.12.146 (197 binaries) Decision: Commercial License Required Evaluation Deferred

---

Executive Summary

HISTORICAL VERDICT: Binary Ninja Free (Non-Commercial) version is NOT SUFFICIENT for the WolfGuard project.

Critical Blockers (if evaluated):

1. Architecture Gap: 91 Linux ARM64 binaries (46% of total) cannot be analyzed (Free only supports ARMv7, not ARM64/AArch64)
2. No Automation: 197 binaries require scripting - Free version has no API access
3. Commercial Use Restriction: WolfGuard is a work project, violating Free license terms

Original Recommendation: Binary Ninja Commercial ($299/year per user) + existing IDA Pro

Actual Decision (2025-10-30): Deferred - using IDA Pro 9.2 + Ghidra 11.3 combination successfully

Future ROI Consideration: $299 investment could save 1-2 weeks of manual work if project scales up

---

Table of Contents

1. Binary Requirements Analysis
2. Architecture Distribution
3. Critical Binaries Identification
4. Free Version Limitation Assessment
5. Commercial Features Analysis
6. Cost-Benefit Analysis
7. Decision Matrix
8. Recommendations

---

1. Binary Requirements Analysis

1.1 Dataset Overview

Source: /opt/projects/repositories/cisco-secure-client/analysis/5.1.12.146-comprehensive/output/binary_catalog.json

Total Binaries: 197 (188 ELF + 9 MSI packages)

Platform Distribution:

• Linux x86_64: 97 binaries (49.2%)
• Linux ARM64: 91 binaries (46.2%)
• Windows x64: 9 MSI packages (4.6%)

Component Breakdown:

• VPN module: 73 binaries (main target)
• Posture assessment: 40 binaries
• DART (diagnostic): 14 binaries
• NVM (network visibility): 29 binaries
• ISE Posture: 12 binaries
• Localization: 29 binaries (.mo files)

---

2. Architecture Distribution

2.1 Linux x86_64 (97 binaries)

Critical VPN Binaries:

vpnagentd                  1,045,385 bytes   Main VPN daemon
libvpnapi.so              1,916,773 bytes   VPN API library
libacciscossl.so            617,693 bytes   Cisco SSL/TLS library
libacciscocrypto.so       2,738,133 bytes   Cisco crypto library
libvpncommon.so           4,110,861 bytes   Common VPN functions
libvpnagentutilities.so   1,100,901 bytes   VPN utilities
libvpnipsec.so            1,086,697 bytes   IPsec implementation
libvpncommoncrypt.so        636,229 bytes   Crypto wrapper
vpnui                       717,809 bytes   VPN UI client
vpn                         144,129 bytes   VPN CLI tool

Other Notable Binaries:

osqueryi (posture)       86,517,893 bytes   Largest binary (system query)
osqueryi (nvm)           86,517,789 bytes   Duplicate (different module)
acnvmagent (nvm)         12,745,405 bytes   Network visibility agent

Architecture: ELF 64-bit LSB executable, x86-64

Binary Ninja Free Support: ✅ FULLY SUPPORTED (x86_64 is supported)

---

2.2 Linux ARM64 (91 binaries)

Critical VPN Binaries (ARM64):

vpnagentd                  1,057,649 bytes   Main VPN daemon (ARM64)
libvpnapi.so              1,843,077 bytes   VPN API library (ARM64)
libacciscossl.so            670,949 bytes   Cisco SSL/TLS library (ARM64)
libacciscocrypto.so       2,507,029 bytes   Cisco crypto library (ARM64)
libvpncommon.so           4,151,837 bytes   Common VPN functions (ARM64)
libvpnagentutilities.so   1,129,597 bytes   VPN utilities (ARM64)
libvpnipsec.so            1,123,545 bytes   IPsec implementation (ARM64)
libvpncommoncrypt.so        664,805 bytes   Crypto wrapper (ARM64)
vpnui                       742,281 bytes   VPN UI client (ARM64)
vpn                         205,545 bytes   VPN CLI tool (ARM64)

Other Notable Binaries (ARM64):

osqueryi (posture)       79,159,989 bytes   System query tool (ARM64)
osqueryi (nvm)           79,160,093 bytes   Duplicate (different module)
acnvmagent (nvm)         11,846,197 bytes   Network visibility agent (ARM64)

Architecture: ELF 64-bit LSB executable, AArch64 (ARM64)

Binary Ninja Free Support: ❌ NOT SUPPORTED

• Free version supports: x86, x86_64, ARMv7 (32-bit)
• ARM64/AArch64 (64-bit) requires: Personal ($149/year) or Commercial ($299/year)

Impact: Cannot analyze 91 binaries (46% of dataset)

---

2.3 Windows x64 (9 MSI packages)

MSI Packages:

cisco-secure-client-win-5.1.12.146-core-vpn-predeploy-k9.msi       23,111,680 bytes
cisco-secure-client-win-5.1.12.146-posture-predeploy-k9.msi        34,876,416 bytes
cisco-secure-client-win-5.1.12.146-nvm-predeploy-k9.msi            24,688,128 bytes
cisco-secure-client-win-5.1.12.2345-zta-predeploy-k9.msi           32,686,592 bytes
cisco-secure-client-win-2.9.0-thousandeyes-predeploy-k9.msi        11,472,896 bytes
cisco-secure-client-win-5.1.12.146-nam-predeploy-k9.msi             7,307,776 bytes
cisco-secure-client-win-5.1.12.146-dart-predeploy-k9.msi            7,121,920 bytes
cisco-secure-client-win-5.1.12.146-iseposture-predeploy-k9.msi      4,851,712 bytes
cisco-secure-client-win-5.1.12.146-umbrella-predeploy-k9.msi        5,413,376 bytes
cisco-secure-client-win-5.1.12.146-sbl-predeploy-k9.msi             3,155,456 bytes

Note: MSI files are Windows Installer packages, not PE executables

• Need to extract PE binaries first (using msiexec, lessmsi, or 7z)
• Once extracted, PE binaries are likely x86_64 (Windows 64-bit)

Binary Ninja Free Support: ✅ LIKELY SUPPORTED (x86_64 PE)

• However, MSI extraction is manual step
• Primary focus is Linux binaries for WolfGuard server

Priority: LOW (Windows client is not primary target)

---

2.4 Objective-C Detection

Question: Do Cisco binaries use Objective-C?

Analysis:

• Objective-C is primarily used on macOS/iOS platforms
• Cisco Secure Client v5.1.12.146 catalog contains:
  • Linux ELF binaries (x86_64, ARM64)
  • Windows MSI packages (PE executables inside)
  • No macOS/iOS binaries in this package

Expected Language: C/C++ (typical for VPN daemons)

Objective-C Presence: ❌ NONE EXPECTED

• Linux binaries use GTK+ for GUI (.glade files present)
• Typical indicators missing:
  • No @implementation, @interface in strings
  • No objc_msgSend symbols
  • No Objective-C runtime libraries

Conclusion: Objective-C auto-analysis workflow (missing in Free version) is NOT NEEDED

---

3. Critical Binaries Identification

3.1 Highest Priority Targets

Core VPN Daemon (both architectures):

linux-x64/vpn/vpnagentd        1,045,385 bytes  x86_64
linux-arm64/vpn/vpnagentd      1,057,649 bytes  AArch64  ← REQUIRES COMMERCIAL

Purpose: Main VPN connection handler, authentication logic

VPN API Library (both architectures):

linux-x64/vpn/libvpnapi.so     1,916,773 bytes  x86_64
linux-arm64/vpn/libvpnapi.so   1,843,077 bytes  AArch64  ← REQUIRES COMMERCIAL

Purpose: Public API for VPN operations (critical for interoperability)

Cisco SSL/TLS Library (both architectures):

linux-x64/vpn/libacciscossl.so   617,693 bytes  x86_64
linux-arm64/vpn/libacciscossl.so 670,949 bytes  AArch64  ← REQUIRES COMMERCIAL

Purpose: Custom TLS implementation (protocol analysis target)

Cisco Crypto Library (both architectures):

linux-x64/vpn/libacciscocrypto.so   2,738,133 bytes  x86_64
linux-arm64/vpn/libacciscocrypto.so 2,507,029 bytes  AArch64  ← REQUIRES COMMERCIAL

Purpose: Crypto primitives (HMAC, encryption, key derivation)

---

3.2 Architecture-Specific Analysis

Can we work with x86_64 only?

YES, BUT...:

• ✅ Protocol is likely architecture-independent (network protocols are)
• ✅ Authentication flow should be identical across architectures
• ✅ Crypto algorithms are same (just compiled for different CPUs)

However:

• ⚠️ ARM64 binaries may have optimization differences
• ⚠️ Some edge cases might be ARM-specific (e.g., endianness handling)
• ⚠️ Completeness: Can't claim "full analysis" if we skip 46% of binaries

Recommendation: ARM64 analysis is HIGHLY DESIRABLE but not absolutely critical for initial protocol reverse engineering

---

3.3 Language and Compilation

Evidence from Binary Catalog:

GTK+ GUI (C-based):

• DARTGUI.glade (GTK+ Glade UI definition)
• cvcgui-gtk.glade (VPN UI definition)
• Implies C/C++ codebase with GTK+ bindings

Boost C++ Libraries:

libboost_filesystem.so
libboost_thread.so
libboost_regex.so
libboost_chrono.so
libboost_system.so
libboost_date_time.so
libboost_atomic.so

Conclusion: Heavy C++ usage (Boost is C++ only)

osquery Integration:

osqueryi (86 MB binary)

Note: osquery is written in C++

Language Breakdown:

• Primary: C++ (Boost libraries, large binary sizes)
• Secondary: C (system interfaces, crypto libraries)
• GUI: GTK+ (C-based toolkit)
• No Objective-C: Not detected

Binary Ninja Implication:

• C++ support in Free version is limited (HLIL + Pseudo C only)
• Missing MLIL/LLIL makes C++ analysis harder
• IDA Pro's Hex-Rays is superior for C++ decompilation

---

4. Free Version Limitation Assessment

4.1 Limitation #1: Architecture Support

Free Version: "Only supports x86, x86_64, and ARMv7 architectures"

Impact Analysis:

Architecture	Count	Percentage	Free Support	Impact
x86_64 (Linux)	97	49.2%	✅ YES	Can analyze
ARM64 (Linux)	91	46.2%	❌ NO	BLOCKED
x86_64 (Windows PE)	~9 MSI	4.6%	✅ YES	Can analyze

Critical Gap:

• 91 ARM64 binaries cannot be opened in Free version
• Includes critical binaries: vpnagentd, libvpnapi.so, libacciscossl.so (ARM64 versions)

Workaround Options:

1. Use x86_64 only: ⚠️ Incomplete analysis (46% missing)
2. Use Ghidra for ARM64: ✅ Free, supports ARM64
3. Use IDA Pro for ARM64: ✅ Already owned, supports ARM64
4. Purchase Commercial Binary Ninja: ✅ Unlocks ARM64 support

Assessment: 🔴 CRITICAL BLOCKER for comprehensive analysis

---

4.2 Limitation #2: SCC Support

Free Version: "No SCC support"

What is SCC?: Strongly Connected Components (advanced control flow analysis)

Use Case: Identify loops, recursive structures, complex control flow

Impact on WolfGuard:

• Low priority: VPN protocol analysis focuses on:
  • Function identification (call graphs)
  • Crypto operations (pattern matching)
  • Authentication flows (sequence diagrams)
• SCC is useful for optimization analysis (not our primary goal)

Workaround: Use IDA Pro or Ghidra for advanced control flow analysis

Assessment: 🟡 MINOR LIMITATION - can compensate with other tools

---

4.3 Limitation #3: No Linux ARM Client

Free Version: "No linux-arm client (supported in paid versions)"

Impact: Cannot run Binary Ninja on ARM-based Linux workstations (e.g., Raspberry Pi, AWS Graviton)

Current System: x86_64 Linux (confirmed via uname -m)

Assessment: 🟢 NO IMPACT - we run on x86_64 workstations

---

4.4 Limitation #4: Objective-C Workflow

Free Version: "The ObjectiveC auto-analysis workflow is not included"

Impact: Cannot automatically analyze Objective-C code

Cisco Binaries: No Objective-C detected (C/C++ only)

Assessment: 🟢 NO IMPACT - not needed for this project

---

4.5 Limitation #5: Limited ILs (Intermediate Languages)

Free Version: "Limited ILs (Disassembly, HLIL, Pseudo C only)"

Available in Free:

• ✅ Disassembly: Raw assembly (e.g., mov eax, [rbp-0x10])
• ✅ HLIL: High-Level IL (C-like, e.g., counter += 1)
• ✅ Pseudo C: Readable C decompilation

NOT Available in Free:

• ❌ LLIL: Low-Level IL (architecture-independent assembly)
• ❌ MLIL: Medium-Level IL (SSA form, data flow analysis)
• ❌ Lifted IL: Architecture-agnostic representation

Impact Assessment:

For Manual Analysis: 🟢 SUFFICIENT

• HLIL + Pseudo C is enough for understanding algorithm logic
• Example: Analyze vpn_totp_verify() function flow

For Automated Analysis: 🔴 INSUFFICIENT

• Cannot write scripts to find all HMAC operations (need MLIL)
• Cannot trace data flow across functions (need SSA form)
• Cannot do cross-architecture pattern matching (need Lifted IL)

Use Cases Requiring MLIL:

# Example: Find all crypto operations (REQUIRES MLIL)
import binaryninja as bn

bv = bn.open_view('vpnagentd')

for func in bv.functions:
    for block in func.mlil:  # ← MLIL not available in Free
        for instr in block:
            if instr.operation == bn.MediumLevelILOperation.MLIL_CALL:
                if 'hmac' in str(instr.dest).lower():
                    print(f"Found HMAC @ {hex(instr.address)}")

Workaround: Use HLIL (less precise) or IDA Pro microcode

Assessment: 🟡 MODERATE LIMITATION

• Manual analysis: OK
• Batch automation: Blocked

---

4.6 Limitation #6: No API / Plugin Access

Free Version: "No API / plugin access"

Missing Capabilities:

1. No Python API: Cannot write automation scripts
2. No Plugin System: Cannot use community plugins
3. No Sidekick AI: Cannot use AI-assisted analysis
4. No Batch Processing: Must analyze 197 binaries manually

Impact on WolfGuard Workflow:

Batch Analysis (197 binaries):

# This script WILL NOT WORK in Free version
#!/usr/bin/env python3
import binaryninja as bn
import glob
import json

results = []

for binary_path in glob.glob('/opt/binaries/**/*.so', recursive=True):
    bv = bn.open_view(binary_path)  # ← API not available in Free
    bv.update_analysis_and_wait()

    # Extract crypto functions
    crypto_funcs = [f for f in bv.functions if 'crypto' in f.name.lower()]

    results.append({
        'binary': binary_path,
        'functions': [f.name for f in crypto_funcs]
    })

with open('analysis.json', 'w') as f:
    json.dump(results, f)

Manual Alternative (Free version):

1. Open each binary individually (197 times)
2. Search for interesting functions manually
3. Copy-paste results to text file
4. Repeat for every binary

Time Estimate:

• Automated (with API): 2-3 hours for 197 binaries
• Manual (Free version): 2-3 weeks for 197 binaries

Assessment: 🔴 CRITICAL BLOCKER for efficient workflow

---

4.7 Limitation #7: Commercial Use Restriction

Free Version: "Not for commercial purposes"

License Terms Analysis:

Binary Ninja Free License (from https://binary.ninja/purchase/#non-commercial):

"The Non-Commercial edition is for personal, non-commercial use only. You may not use the Non-Commercial edition for any commercial purpose, including as part of a commercial product or service."

WolfGuard Project Status:

• Purpose: Open-source VPN server (interoperability research)
• Legal Basis: DMCA §1201(f) exemption (reverse engineering for interoperability)
• Revenue: No direct revenue from reverse engineering results
• Employment: Likely a work project (engineers are paid)

Key Question: Is WolfGuard "commercial"?

Interpretation 1: YES (Work Project)

• Engineers are paid by employer to develop WolfGuard
• Work is performed during work hours
• Even if final product is open-source, the work itself is commercial

Interpretation 2: NO (Open Source)

• WolfGuard is open-source (no revenue)
• Reverse engineering is for interoperability (protected activity)
• Results are published publicly, not sold

Conclusion:

• If WolfGuard is developed at work, during work hours, by paid employees: ❌ NOT ELIGIBLE for Free version
• If WolfGuard is a personal hobby project: ✅ ELIGIBLE for Free version

Recommendation: Assume commercial use (safer interpretation)

Assessment: 🔴 LICENSE VIOLATION RISK if used for work project

---

5. Commercial Features Analysis

5.1 Feature Comparison by Tier

Feature	Free	Personal ($149/yr)	Commercial ($299/yr)	Enterprise ($1,299/yr)
Architectures	x86, x64, ARMv7	✅ All (incl. ARM64)	✅ All (incl. ARM64)	✅ All (incl. ARM64)
Python API	❌ None	✅ Full	✅ Full	✅ Full
ILs Available	Disassembly, HLIL, Pseudo C	✅ All (LLIL, MLIL, HLIL)	✅ All (LLIL, MLIL, HLIL)	✅ All (LLIL, MLIL, HLIL)
SCC Support	❌ No	❌ No	❌ No	✅ Yes
Commercial Use	❌ No	❌ No	✅ Yes	✅ Yes
Sidekick AI	❌ No	❌ No	❌ No	✅ Yes
Support	Community	Standard	Standard	Priority
Collaboration	❌ No	✅ Yes	✅ Yes	✅ Yes
Floating Licenses	N/A	❌ No	❌ No	✅ Yes

---

5.2 Critical Features for WolfGuard

Feature #1: ARM64/AArch64 Support

• Available in: Personal ($149), Commercial ($299), Enterprise ($1,299)
• Why Critical: 91 ARM64 binaries (46% of dataset)
• Alternatives: Ghidra (free), IDA Pro (already owned)
• Priority: 🔴 HIGH

Feature #2: Python API

• Available in: Personal ($149), Commercial ($299), Enterprise ($1,299)
• Why Critical: Batch processing 197 binaries
• Use Case:

  # Extract all functions from all binaries
  for binary in binaries:
      bv = binaryninja.open(binary)
      functions = list(bv.functions)
      # Export to JSON for WolfGuard documentation

• Alternatives: IDAPython (IDA Pro), Ghidra Python
• Priority: 🔴 HIGH

Feature #3: MLIL/LLIL (Medium/Low-Level IL)

• Available in: Personal ($149), Commercial ($299), Enterprise ($1,299)
• Why Useful: Better for protocol analysis (between assembly and C)
• Use Case: Automated pattern matching for crypto operations
• Alternatives: IDA Pro microcode, Ghidra p-code
• Priority: 🟡 MEDIUM (HLIL often sufficient)

Feature #4: Commercial Use Rights

• Available in: Commercial ($299), Enterprise ($1,299)
• Why Critical: If WolfGuard is a work project (paid development)
• Alternatives: Personal license ($149) if genuinely non-commercial
• Priority: 🔴 HIGH (if work project)

Feature #5: SCC Support

• Available in: Enterprise ($1,299) only
• Why Useful: Advanced control flow analysis
• Use Case: Identify complex loops in connection state machine
• Alternatives: IDA Pro, Ghidra
• Priority: 🟢 LOW (not critical for protocol analysis)

Feature #6: Sidekick AI

• Available in: Enterprise ($1,299) only
• Why Useful: AI-assisted function naming, vulnerability detection
• Use Case: Quickly understand obfuscated functions
• Alternatives: Claude Code, GitHub Copilot
• Priority: 🟢 LOW (nice-to-have, not essential)

---

5.3 Minimum Required Tier

For WolfGuard Project:

If Non-Commercial (Personal Project):

• Minimum Tier: Personal ($149/year)
• Unlocks: ARM64 support, Python API, all ILs
• Sufficient for: Full analysis of 197 binaries

If Commercial (Work Project):

• Minimum Tier: Commercial ($299/year)
• Unlocks: Same as Personal + commercial use rights
• Sufficient for: Full analysis with legal compliance

Enterprise Tier ($1,299/year):

• Only needed if:
  • Require SCC support (advanced control flow)
  • Need Sidekick AI (AI assistance)
  • Need floating licenses (team >5 engineers)
• Recommendation: ❌ NOT NEEDED for WolfGuard (too expensive, features not critical)

---

6. Cost-Benefit Analysis

6.1 Scenario Comparison

Scenario 1: Free Version Only

Cost: $0

Coverage:

• ✅ Can analyze: 97 x86_64 binaries (49%)
• ❌ Cannot analyze: 91 ARM64 binaries (46%)
• ⚠️ Limited to manual analysis (no automation)

Time Estimate:

• Manual analysis: 30 minutes per binary × 97 = 48.5 hours (1.2 weeks)
• No batch processing (must open each binary individually)

Blockers:

1. Missing 46% of dataset (ARM64)
2. No automation (Python API blocked)
3. License violation if work project

Verdict: ❌ NOT VIABLE for WolfGuard

---

Scenario 2: IDA Pro + Free Binary Ninja

Cost: $0 (IDA Pro already owned)

Coverage:

• ✅ IDA Pro: All 197 binaries (all architectures)
• ✅ Binary Ninja Free: 97 x86_64 binaries (manual validation)

Time Estimate:

• IDA Pro automation: 5 minutes per binary × 197 = 16.4 hours (2 days)
• Binary Ninja manual checks: 10 minutes × 20 binaries = 3.3 hours
• Total: 19.7 hours (2.5 days)

Workflow:

1. Use IDA Pro for batch processing (IDAPython scripts)
2. Use Binary Ninja Free for manual comparison/validation (x86_64 only)
3. Focus deep analysis on x86_64 (Binary Ninja) vs ARM64 (IDA Pro only)

Pros:

• ✅ Full coverage (IDA Pro handles ARM64)
• ✅ No additional cost
• ✅ IDA Pro has better C++ decompiler

Cons:

• ⚠️ Binary Ninja Free adds limited value (manual only)
• ⚠️ IDA Pro slower than Binary Ninja for iterative tasks
• ⚠️ No Binary Ninja automation benefits

Verdict: ✅ VIABLE (baseline option if no budget)

---

Scenario 3: Commercial Binary Ninja ($299/user × 2 = $598/year)

Cost: $598/year (2 engineers)

Coverage:

• ✅ Can analyze: All 197 binaries (100%)
• ✅ Full automation: Python API enabled
• ✅ Parallel processing: 2 engineers can work simultaneously

Time Estimate:

• Automated batch processing: 2 minutes per binary × 197 = 6.6 hours
• Manual review of automated results: 5 hours
• Total: 11.6 hours (1.5 days)

Time Saved vs. Scenario 2:

• Scenario 2: 19.7 hours
• Scenario 3: 11.6 hours
• Savings: 8.1 hours (1 day)

ROI Calculation:

• Cost: $598/year ÷ 52 weeks = $11.50/week
• Time saved: 8.1 hours × $100/hour (engineer rate) = $810
• ROI: $810 saved / $598 cost = 1.35x (35% return)

Note: ROI is per analysis cycle

• If we analyze 5 Cisco releases per year: 6.8x ROI
• If we analyze 10 releases per year: 13.6x ROI

Pros:

• ✅ Full ARM64 support
• ✅ Best automation (Python API)
• ✅ Fastest analysis speed
• ✅ Modern UI/UX
• ✅ Legal compliance (commercial license)

Cons:

• ⚠️ Annual recurring cost ($598/year)
• ⚠️ Still need IDA Pro for deep C++ analysis (Binary Ninja's C++ support is weaker)

Verdict: ✅ RECOMMENDED (best balance of cost and efficiency)

---

Scenario 4: Commercial Binary Ninja + IDA Pro (Both Tools)

Cost: $598/year (Binary Ninja only; IDA Pro already owned)

Coverage: 100% (best of both worlds)

Workflow:

1. Phase 1 (Reconnaissance): Binary Ninja (speed)

   • Batch process 197 binaries (6.6 hours)
   • Identify interesting functions automatically
   • Export function lists to JSON

2. Phase 2 (Deep Analysis): IDA Pro (quality)

   • Focus on critical functions only (identified in Phase 1)
   • Use Hex-Rays for complex C++ decompilation
   • Analyze vtables, templates, RTTI

3. Phase 3 (Documentation): Combined

   • Binary Ninja: Generate control flow graphs
   • IDA Pro: Create detailed annotations
   • Export to WolfGuard documentation

Time Estimate:

• Phase 1: 11.6 hours (Binary Ninja)
• Phase 2: 20 hours (IDA Pro on critical functions only)
• Phase 3: 5 hours (documentation)
• Total: 36.6 hours (4.6 days)

Comparison:

• Scenario 2 (IDA Pro only): 19.7 hours + manual review 40 hours = 60 hours
• Scenario 4 (Both tools): 36.6 hours
• Savings: 23.4 hours (3 days)

ROI:

• Time saved: 23.4 hours × $100/hour = $2,340
• Cost: $598/year
• ROI: $2,340 / $598 = 3.9x (290% return)

Verdict: ✅ BEST OPTION (highest efficiency, comprehensive analysis)

---

Scenario 5: Ghidra + Free Binary Ninja ($0)

Cost: $0 (both free)

Coverage: 100%

Time Estimate:

• Ghidra batch processing: 10 minutes per binary × 197 = 32.8 hours (4.1 days)
• Binary Ninja manual validation: 10 hours
• Total: 42.8 hours (5.4 days)

Pros:

• ✅ Free
• ✅ Full ARM64 support (Ghidra)
• ✅ Good decompiler (Ghidra is solid)

Cons:

• ⚠️ Ghidra is slower than Binary Ninja (3-4x)
• ⚠️ Ghidra UI is clunkier
• ⚠️ Binary Ninja Free adds limited value (manual only, x86_64 only)

Verdict: ✅ VIABLE (budget-constrained option)

---

6.2 ROI Summary Table

Scenario	Cost	Time	Engineers	ROI (per cycle)	ROI (5 releases/yr)
1. Free BN Only	$0	48.5h	1	❌ Incomplete	❌ Incomplete
2. IDA Pro + Free BN	$0	19.7h	1	✅ Baseline	✅ Baseline
3. Commercial BN	$598/yr	11.6h	2	1.35x	6.8x
4. Commercial BN + IDA	$598/yr	36.6h	2	3.9x	19.5x
5. Ghidra + Free BN	$0	42.8h	1	✅ Viable	✅ Viable

Recommendation: Scenario 4 (Commercial BN + IDA Pro) offers highest ROI at 19.5x

---

7. Decision Matrix

7.1 Can We Use Free Version?

Requirement	Free Support	Impact if Missing	Severity
x86_64 binaries (97)	✅ YES	N/A - supported	✅ OK
ARM64 binaries (91)	❌ NO (ARMv7 only)	Cannot analyze 46% of dataset	🔴 CRITICAL
Automation (197 binaries)	❌ NO (no API)	2-3 weeks manual work vs. 1 day automated	🔴 CRITICAL
Commercial use rights	❌ NO	License violation if work project	🔴 CRITICAL
C/C++ decompilation	✅ YES (HLIL, Pseudo C)	Good enough for most analysis	✅ OK
Batch processing	❌ NO (no scripting)	Critical for efficiency	🔴 CRITICAL
MLIL/LLIL	❌ NO	Harder to automate pattern matching	🟡 MEDIUM
SCC analysis	❌ NO	Less sophisticated control flow	🟢 LOW
Objective-C support	❌ NO	Not needed (no Objective-C in Cisco binaries)	🟢 LOW

---

7.2 Verdict

Binary Ninja Free Version: ❌ NOT SUFFICIENT

Reasons:

1. 🔴 ARM64 Not Supported: Cannot analyze 91 binaries (46% of dataset)

   • Critical binaries blocked: vpnagentd, libvpnapi.so, libacciscossl.so (ARM64)
   • Cisco ships identical functionality on both architectures
   • Incomplete analysis is unacceptable

2. 🔴 No API/Automation: 197 binaries require scripting

   • Manual analysis: 2-3 weeks
   • Automated analysis (with API): 1-2 days
   • Free version makes batch processing impossible

3. 🔴 Commercial Use Restriction: WolfGuard is likely a work project

   • If developed during work hours: Violates Free license terms
   • Legal risk not worth the $299 savings

Conclusion: Free version creates more problems than it solves

---

8. Recommendations

8.1 Recommended Solution

Option 1: Commercial Binary Ninja + IDA Pro (RECOMMENDED)

Cost: $299/year per user (2 users = $598/year)

Benefits:

• ✅ 100% coverage (all 197 binaries)
• ✅ Full automation (Python API)
• ✅ ARM64 support unlocked
• ✅ Legal compliance (commercial license)
• ✅ 19.5x ROI over multiple analysis cycles

Justification:

• $598/year is negligible for professional reverse engineering work
• Time savings: 20-30 hours per analysis cycle
• Better workflow: Binary Ninja (speed) + IDA Pro (quality)
• Modern tooling: Invest in efficiency

Purchase Link: https://binary.ninja/purchase/ (Commercial tier)

---

8.2 Alternative: IDA Pro Only (Budget Option)

Option 2: IDA Pro + Ghidra (if no budget)

Cost: $0 (both already available)

Workflow:

1. Use IDA Pro for critical x86_64 binaries (best C++ decompiler)
2. Use Ghidra for ARM64 binaries (free ARM64 support)
3. Skip Binary Ninja Free (too limited to be useful)

Time Estimate: 40-60 hours per analysis cycle

Justification:

• No additional cost
• Full architecture coverage
• Acceptable if timeline is flexible

Verdict: ✅ VIABLE fallback if Binary Ninja purchase is blocked

---

8.3 What NOT to Do

❌ DO NOT use Binary Ninja Free for WolfGuard

Reasons:

1. Cannot analyze ARM64 (46% of binaries blocked)
2. Cannot automate (no API access)
3. License violation risk (commercial use restriction)
4. Wastes time trying to work around limitations

Better alternative: Use Ghidra (free, full featured) instead of Binary Ninja Free

---

8.4 Specific Commercial Features Needed

Must-Have Features (available in Commercial $299/year):

✅ ARM64/AArch64 Support

• Why: 91 Linux ARM64 binaries
• Benefit: Analyze critical vpnagentd, libvpnapi.so ARM64 versions
• Alternative: Ghidra (free), IDA Pro (already owned)

✅ Python API

• Why: Batch processing 197 binaries
• Benefit: Automate function extraction, crypto detection, export to JSON
• Use case:

  # Example: Extract all functions from all binaries
  for binary in glob.glob('/opt/binaries/**/*.so', recursive=True):
      bv = binaryninja.open(binary)
      functions = [f.name for f in bv.functions]
      # Export to WolfGuard documentation

• Alternative: IDAPython (IDA Pro), Ghidra Python

✅ Commercial Use Rights

• Why: WolfGuard is a work project (paid development)
• Benefit: Legal compliance, no license violation risk
• Alternative: Personal license ($149) if genuinely non-commercial

✅ MLIL/LLIL (Medium/Low-Level IL)

• Why: Better automation for pattern matching
• Benefit: Find all HMAC operations, trace data flow
• Priority: Medium (HLIL often sufficient, but MLIL is better)
• Alternative: IDA Pro microcode, Ghidra p-code

Nice-to-Have Features (NOT needed for WolfGuard):

❌ SCC Support (Enterprise $1,299/year only)

• Why: Advanced control flow analysis
• Verdict: Too expensive, not critical for protocol analysis

❌ Sidekick AI (Enterprise $1,299/year only)

• Why: AI-assisted reverse engineering
• Verdict: Nice but not essential (we have Claude Code)

---

8.5 Purchase Decision

If you can afford $299/year per engineer: ✅ BUY COMMERCIAL

Justification:

• ROI is 19.5x over a year (5 analysis cycles)
• Time savings: 20-30 hours per cycle
• Better tooling = better results
• Modern workflow with automation

If no budget available: ✅ USE IDA PRO + GHIDRA

Justification:

• $0 cost (both already available)
• Full architecture coverage
• Acceptable performance (slower but complete)
• Skip Binary Ninja Free (not worth the limitations)

---

9. Conclusion

9.1 Final Verdict

Binary Ninja Free (Non-Commercial): ❌ NOT SUFFICIENT for WolfGuard

Critical Gaps:

1. ARM64 not supported (46% of binaries blocked)
2. No API access (automation impossible)
3. Commercial use restriction (license violation risk)

Recommended Path: Commercial Binary Ninja ($299/year) + IDA Pro

ROI: 19.5x over a year (5 analysis cycles)

---

9.2 Action Items

Immediate:

• Decision: Determine if budget exists for Commercial Binary Ninja ($299/year per user)

If Budget Approved:

• Purchase: 2 Commercial licenses ($598/year total)
• Training: 2 senior engineers (1-2 weeks)
• Develop: Custom plugins for Cisco analysis (1 month)
• Integrate: Add to WolfGuard CI/CD pipeline

If No Budget:

• Fallback: Use IDA Pro (x86_64) + Ghidra (ARM64)
• Document: Ghidra workflow for ARM64 analysis
• Accept: Slower analysis speed (40-60 hours vs. 10-20 hours)

---

9.3 Summary Table

Aspect	Free Version	Commercial Version	Recommendation
Architecture Coverage	49% (x86_64 only)	100% (all architectures)	✅ Commercial
Automation	❌ None (no API)	✅ Full (Python API)	✅ Commercial
Cost	$0	$299/year	✅ Commercial (ROI 19.5x)
License Compliance	❌ Non-commercial only	✅ Work projects OK	✅ Commercial
Time per Cycle	48.5h (x86_64 only)	11.6h (all binaries)	✅ Commercial
ROI	N/A (incomplete)	19.5x (5 cycles/year)	✅ Commercial

Final Recommendation: ✅ Purchase Binary Ninja Commercial ($299/year per user)

---

References

Internal Documents

• Binary Ninja Assessment
• IDA Pro Setup Guide
• Binary Catalog

External Resources

• Binary Ninja Purchase: https://binary.ninja/purchase/
• Binary Ninja Free Limitations: https://binary.ninja/purchase/#non-commercial
• Binary Ninja Documentation: https://docs.binary.ninja/
• Binary Ninja API Reference: https://api.binary.ninja/

---

Document Status: Final Recommendation Maintained By: WolfGuard Technical Leadership Last Updated: 2025-10-30 Next Review: When new Binary Ninja version releases

---

END OF ANALYSIS