Method and system for detecting vulnerabilities in source code

Data processing: software development – installation – and managem – Software program development tool – Testing or debugging

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C717S125000, C726S025000

Reexamination Certificate

active

10825007

ABSTRACT:
A method and system of detecting vulnerabilities in source code. Source code is parsed into an intermediate representation. Models (e.g., in the form of lattices) are derived for the variables in the code and for the variables and/or expressions used in conjunction with routine calls. The models are then analyzed in conjunction with pre-specified rules about the routines to determine if the routine call posses one or more of pre-selected vulnerabilities.

REFERENCES:
patent: 6412071 (2002-06-01), Hollander et al.
patent: 6832302 (2004-12-01), Fetzer et al.
patent: 2003/0172293 (2003-09-01), Johnson et al.
patent: 2003/0182572 (2003-09-01), Cowan et al.
patent: 2004/0111713 (2004-06-01), Rioux
patent: 2004/0168078 (2004-08-01), Brodley et al.
Brian V. Chess, “Improving Computer Security Using Extended Static Checking,” Proceedings of the IEEE Symposium on Security and Privacy, May 2002, (14 pages).
Eric Haugh and Matt Bishop, “Testing C Programs for Buffer Overflow Vulverabilities,” Proceedings of the 2003 Symposium on Networked and Distributed System Security (SNDSS 2003), Feb. 2003, (8 pages).
David Larochelle and David Evans, “Statically Detecting Likely Buffer Overflow Vulnerabilites,” Proceedings of the 2001 USENIX Security Symposium, Aug. 2001, (13 pages).
Umesh Shankar, et al., “Detecting Format String Vulnerabilities with Type Qualifiers,” Proceedings of the 10thUSENIX Security Symposium, Aug. 2001, (16 pages).
John Viega, et al., “ITS4: A Static Vulnerability Scanner for C and C++ Code,” 16thAnnual Computer Security Applications Conference, 2000, (11 pages).
David Wagner, et al., “A First Step Towards Automated Detection of Buffer Overrun Vulnerabilites,” Proceedings of the Network and Distributed System Security Symposium, Feb. 2000, (15 pages).
David Evans and David Larochelle, “Improving Security Using Extensible Lighweight Static Analysis,” IEEE Software, vol. 19, issue 1, Jan.-Feb. 2002, pp. 42-51.
“Splint Manual,” Version 3.0.6, Feb. 11, 2002, University of Virginia, pp. 1-119.
Ashcraft, et al., “Using Programmer-Written Compiler Extensions to Catch Security Holes”, IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
Bush, et al., “A Static Analyzer for Finding Dynamic Programming Errors”, Software—Practice and Experience, vol. 30, No. 7, 2000.
Dor, et al., “Cleanness Checking of String Manipulations in C Programs via Integer Analysis”, 8th International Symposium on Static Analysis (SAS), pp. 194-212, Jul. 2001.
Dor, et al., “CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C”, PLDI '03, Jun. 9-11, 2003, San Diego, California.
Foster, et al., “A Theory of Type Qualifiers”, Programming Language Design and Implementation (PLDI'99), pp. 192-203, Atlanta, GA, May 1999.
Ganapathy, et al., “Buffer Overrun Detection Using Linear Programming and Static Analysis”, CCS '03, Oct. 27-30, 2003, Washington, DC.
Larus, et al., “Righting Software”, IEEE Software, May/Jun. 2004, pp. 92-100.
Lhee, et al., “Type-Assisted Dynamic Buffer Overflow Detection”, 11th USENIX Security Symposium, pp. 81-88, Aug. 2002.
Simon, et al., “Analyzing String Buffers in C”, International Conference on Algebraic Methodology and Software Technology, vol. 2422 of Lecture Notes in Computer Science (H. Krichner and C. Ringeissen, Eds.) (Springer), pp. 365-379, Sep. 2002.
Rugina, et al., “Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions”, ACM Transactions of Programming Languages and Systems, vol. 27, No. 2, pp. 185-234, 2005.
Xie, et al., “Archer: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors”, ESEC/FSE '03, Sep. 1-5, 2003, Helsinki, Finland.
Xu, et al., “An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs”, SIGSOFT '04/FSE-12, Oct. 31-Nov. 6, 2004, Newport Beach, CA.

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Method and system for detecting vulnerabilities in source code does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Method and system for detecting vulnerabilities in source code, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for detecting vulnerabilities in source code will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-3782701

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.