Method and system for detecting privilege escalation...

Information security – Monitoring or scanning of software or data including attack... – Vulnerability assessment

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C726S022000, C726S023000, C726S024000, C717S106000, C717S122000

Reexamination Certificate

active

07418734

ABSTRACT:
A method and system of detecting vulnerabilities in source code. Source code is parsed into an intermediate representation. Models are derived for the code and the models are then analyzed in conjunction with pre-specified rules about the routines to determine if the routine call posses one or more of pre-selected vulnerabilities.

REFERENCES:
patent: 5440723 (1995-08-01), Arnold et al.
patent: 6412071 (2002-06-01), Hollander et al.
patent: 6654782 (2003-11-01), O'Brien et al.
patent: 6832302 (2004-12-01), Fetzer et al.
patent: 7073198 (2006-07-01), Flowers et al.
patent: 2003/0172293 (2003-09-01), Johnson et al.
patent: 2003/0182572 (2003-09-01), Cowan et al.
patent: 2004/0111713 (2004-06-01), Rioux
patent: 2004/0168078 (2004-08-01), Brodley et al.
patent: 2005/0015752 (2005-01-01), Alpern et al.
Chess, Improving Computer Security Using Extended Static Checking, Proceedings of the IEEE Symposium on Security and Privacy, May 2002.
Haugh and Bishop, Testing C Programs for Buffer Overflow Vulnerabilities, Proceedings of the 2003 Symposium on Networked and Distributed System Security (SNDSS 2003), Feb. 2003.
Larochelle and Evans, Statically Detecting Likely Buffer Overflow Vulnerabilities, Proceedings of the 2001 USENIX Security Symposium, Aug. 2001.
Shankar et al., Detecting Format String Vulnerabilities with Type Qualifiers, Proceedings of the 10th USENIX Security Symposium, Aug. 2001.
Viega et al., A Static Vulnerability Scanner for C and C++ Code, 16th Annual Computer Security applications Conference, 2000.
Wagner et al., A First Step Towards Automated Detection of Buffer Overrun, Vulnerabilities, Proceedings of the Network and Distributed System Security Symposium, Feb. 2000.
Aho, et al., “Principles of Compiler Design,” Addison-Wesley Publishing Co., Mar. 1978.
Ashcraft, et al., “Using Programmer-Written Compiler Extensions to Catch Security Holes”, IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
Banatre, et al., “Mechanical Proofs of Security Properties,” Institut de Recherche en Informatique et Systemes Aleatoires, Centre National de la Recherche Scientifique (URA 227) Universite de Rennes 1, Insa de Rennes, France, ISSN 1166-8687, Publication Interne No. 825, May 1994.
Bush, et al., “A Static Analyzer for Finding Dynamic Programming Errors”, Software—Practice and Experience, vol. 30, No. 7, 2000.
Chess, et al., “Improving Computer Security Using Extended Static Checking,” IEEE Symposium on Security and Privacy (May 2002).
Chess, et al., “Static Analysis for Security,” IEEE Computer Society, IEEE Security and Privacy, 1540-7993 (2004).
Detlefs, et al., “Extended Static Checking,” Technical Report 159, Compaq Systems Research Center (1998).
Dijkstra, E.W., “Guarded Commands, Nondeterminacy and Formal Derivation of Programs,” Communications of the ACM, vol. 18, No. 8, pp. 453-457 (Aug. 1975).
Frailey, D.J., “A-n Intermediate Language for Source and Target Independent Code Optimization,” ACM, 0-89791-002-8/79/0800-0188, pp. 188-200 (1979).
Gordon, et al., “Typing a Multi-Language Intermediate Code,” Technical Report MSR-TR-2000-106, Microsoft Research, Microsoft Corporation (Dec. 2000).
Kiriansky, et al., “Secure Execution Via Program Shepherding,” 11th USENIX Security Symposium (Security '02), San Francisco, CA (Aug. 2002).
Leino, et al., “Checking Java Program via Guarded Commands,” Technical Report Feb. 1999, Compaq Systems Research Center (May 1999).
Macrakis, S., “From UNCOL to ANDF: Progress in Standard Intermediate Languages,” Open Software Foundation, macrakis@osf.org, pp. 1-18 (1993).
Pincus, J., “Steering the Pyramids—Tools, Technology, and Process in Engineering at Microsoft,” Microsoft Research (Oct. 5, 2002).
Schneider, F.B., “Enforceable Security Policies,” ACM Transactions on Information and System Security, vol. 3, No. 1, pp. 30-50 (Feb. 2000).
Shankar, et al., “Detecting Format String Vulnerabilities with Type Qualifiers,” Proceedings of the 10th USENIX Security Symposium, Washington, DC, Aug. 2001.
Sirer, et al., “An Access Control Language for Web Services,” SACMAT '02, Jun. 3-4, 2002, Monterey, CA, ACM 1-58113-496-7/02/0006, pp. 23-30 (2002).
Suzuki8, et al., “Implementation of an Array Bound Checker,” Defense Advanced Research Projects Agency (Contract FF44620-73-C-0034), Air Force Office of Scientific Research (Contract DAHC-15-72-C-0308), University of Tokyo Computation Center, pp. 132-143, 1997.
“The Java Language Environment,” White Paper, Sun microsystems, Inc. (1997).
Viega, et al., “ITS4: A Static Vulnerability Scanner For C and C++ Code,” Proceedings Of The Annual Computer Security Applications Conference (2000).
Wagner, et al., “A First Step Toward Automated Detection of Buffer Overrun Vulnerabilities,” Proceedings of the Network and Distributed System Security Symposium, University of California, Berkeley, Feb. 2000.
Zovi, D.D., “Security Applications of Dynamic Binary Translation, Thesis,” The University of New Mexico (2002).

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Method and system for detecting privilege escalation... does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Method and system for detecting privilege escalation..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for detecting privilege escalation... will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-4019222

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.