Data processing: software development – installation – and managem – Software program development tool – Testing or debugging
Reexamination Certificate
2006-09-15
2009-11-10
Bullock, Jr., Lewis A (Department: 2193)
Data processing: software development, installation, and managem
Software program development tool
Testing or debugging
C717S141000, C717S143000, C717S155000
Reexamination Certificate
active
07617489
ABSTRACT:
Methods and systems of detecting vulnerabilities in source code using inter-procedural analysis of source code. Vulnerabilities in a pre-existing source code listing are detected. The variables in the source code listing are modeled in the context of at least one of the inherent control flow and inherent data flow. The variable models are used to create models of arguments to routine calls in the source code listing. The source code listing is modeled with a call graph to represent routine call interactions expressed in the source code listing. The arguments to routine calls are modeled to account for inter-procedural effects and dependencies on the arguments as expressed in the source code listing.
REFERENCES:
patent: 5440723 (1995-08-01), Arnold et al.
patent: 6343376 (2002-01-01), Saxe et al.
patent: 6412071 (2002-06-01), Hollander et al.
patent: 7051322 (2006-05-01), Rioux
patent: 2003/0172293 (2003-09-01), Johnson et al.
patent: 2004/0255277 (2004-12-01), Berg
patent: 2004/0260940 (2004-12-01), Berg
patent: 2005/0010806 (2005-01-01), Berg
patent: 2005/0015752 (2005-01-01), Alpern et al.
patent: 2007/0083933 (2007-04-01), Venkatapathy et al.
Aho, et al., “Principles of Compiler Design,” Addison-Wesley Publishing Co., Mar. 1978.
Ashcraft, et al., “Using Programmer-Written Compiler Extensions to Catch Security Holes”, IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
Banatre, et al., “Mechanical Proofs of Security Properties,” Institut de Recherche en Informatique et Systemes Aleatoires, Centre National de la Recherche Scientifique (URA 227) Universite de Rennes 1, Insa de Rennes, France, ISSN 1166-8687, Publication Interne No. 825, May 1994.
Bush, et al., “A Static Analyzer for Finding Dynamic Programming Errors”, Software—Practice and Experience, vol. 30, No. 7, 2000.
Chess, et al., “Improving Computer Security Using Extended Static Checking,” IEEE Symposium on Security and Privacy (May 2002).
Chess, et al., “Static Analysis for Security,” IEEE Computer Society, IEEE Security and Privacy, 1540-7993 (2004).
Detlefs, et al., “Extended Static Checking,” Technical Report 159, Compaq Systems Research Center (1998).
Dijkstra, E.W., “Guarded Commands, Nondeterminacy and Formal Derivation of Programs,” Communications of the ACM, vol. 18, No. 8, pp. 453-457 (Aug. 1975).
Frailey, D.J., “An Intermediate Language for Source and Target Independent Code Optimization,” ACM, 0-89791-002-8/79/0800-0188, pp. 188-200 (1979).
Gordon, et al., “Typing a Multi-Language Intermediate Code,” Technical Report MSR-TR-2000-106, Microsoft Research, Microsoft Corporation (Dec. 2000).
Kiriansky, et al., “Secure Execution Via Program Shepherding,” 11th USENIX Security Symposium (Security '02), San Francisco, CA (Aug. 2002).
Leino, et al., “Checking Java Program via Guarded Commands,” Technical Report 1999-02, Compaq Systems Research Center (May 1999).
Macrakis, S., “From UNCOL to ANDF: Progress in Standard Intermediate Languages,” Open Software Foundation, macrakis@osf.org, pp. 1-18 (1993).
Pincus, J., “Steering the Pyramids—Tools, Technology, and Process in Engineering at Microsoft,” Microsoft Research (Oct. 5, 2002).
Schneider, F.B., “Enforceable Security Policies,” ACM Transactions on Information and System Security, vol. 3, No. 1, pp. 30-50 (Feb. 2000).
Shankar, et al., “Detecting Format String Vulnerabilities with Type Qualifiers,” Proceedings of the 10th USENIX Security Symposium, Washington, DC, Aug. 2001.
Sirer, et al., “An Access Control Language for Web Services,” SACMAT '02, Jun. 3-4, 2002, Monterey, CA, ACM 1-58113-496-7/02/0006, pp. 23-30 (2002).
Suzuki, et al., “Implementation of an Array Bound Checker,” Defense Advanced Research Projects Agency (Contract FF44620-73-C-0034), Air Force Office of Scientific Research (Contract DAHC-15-72-C-0308), University of Tokyo Computation Center, pp. 132-143, 1997.
“The Java Language Environment,” White Paper, Sun Microsystems, Inc. (1997).
Viega, et al., “ITS4: A Static Vulnerability Scanner for C and C++ Code,” Proceedings Of The Annual Computer Security Applications Conference (2000).
Wagner, et al., “A First Step Toward Automated Detection of Buffer Overrun Vulnerabilities,” Proceedings of the Network and Distributed System Security Symposium, University of California, Berkeley, Feb. 2000.
Zovi, D.D., “Security Applications of Dynamic Binary Translation, Thesis,” The University of New Mexico (2002).
Gottlieb Robert
Peyton John
Bullock, Jr. Lewis A
Ounce Labs, Inc.
Wilmer Cutler Pickering Hale and Dorr LLP
Yaary Michael
LandOfFree
Method and system for detecting interprocedural... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for detecting interprocedural..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for detecting interprocedural... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4071640