Data processing: software development – installation – and managem – Software program development tool – Testing or debugging
Reexamination Certificate
2007-07-03
2007-07-03
Kiss, Eric B. (Department: 2192)
Data processing: software development, installation, and managem
Software program development tool
Testing or debugging
C717S125000, C726S025000
Reexamination Certificate
active
10825007
ABSTRACT:
A method and system of detecting vulnerabilities in source code. Source code is parsed into an intermediate representation. Models (e.g., in the form of lattices) are derived for the variables in the code and for the variables and/or expressions used in conjunction with routine calls. The models are then analyzed in conjunction with pre-specified rules about the routines to determine if the routine call posses one or more of pre-selected vulnerabilities.
REFERENCES:
patent: 6412071 (2002-06-01), Hollander et al.
patent: 6832302 (2004-12-01), Fetzer et al.
patent: 2003/0172293 (2003-09-01), Johnson et al.
patent: 2003/0182572 (2003-09-01), Cowan et al.
patent: 2004/0111713 (2004-06-01), Rioux
patent: 2004/0168078 (2004-08-01), Brodley et al.
Brian V. Chess, “Improving Computer Security Using Extended Static Checking,” Proceedings of the IEEE Symposium on Security and Privacy, May 2002, (14 pages).
Eric Haugh and Matt Bishop, “Testing C Programs for Buffer Overflow Vulverabilities,” Proceedings of the 2003 Symposium on Networked and Distributed System Security (SNDSS 2003), Feb. 2003, (8 pages).
David Larochelle and David Evans, “Statically Detecting Likely Buffer Overflow Vulnerabilites,” Proceedings of the 2001 USENIX Security Symposium, Aug. 2001, (13 pages).
Umesh Shankar, et al., “Detecting Format String Vulnerabilities with Type Qualifiers,” Proceedings of the 10thUSENIX Security Symposium, Aug. 2001, (16 pages).
John Viega, et al., “ITS4: A Static Vulnerability Scanner for C and C++ Code,” 16thAnnual Computer Security Applications Conference, 2000, (11 pages).
David Wagner, et al., “A First Step Towards Automated Detection of Buffer Overrun Vulnerabilites,” Proceedings of the Network and Distributed System Security Symposium, Feb. 2000, (15 pages).
David Evans and David Larochelle, “Improving Security Using Extensible Lighweight Static Analysis,” IEEE Software, vol. 19, issue 1, Jan.-Feb. 2002, pp. 42-51.
“Splint Manual,” Version 3.0.6, Feb. 11, 2002, University of Virginia, pp. 1-119.
Ashcraft, et al., “Using Programmer-Written Compiler Extensions to Catch Security Holes”, IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
Bush, et al., “A Static Analyzer for Finding Dynamic Programming Errors”, Software—Practice and Experience, vol. 30, No. 7, 2000.
Dor, et al., “Cleanness Checking of String Manipulations in C Programs via Integer Analysis”, 8th International Symposium on Static Analysis (SAS), pp. 194-212, Jul. 2001.
Dor, et al., “CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C”, PLDI '03, Jun. 9-11, 2003, San Diego, California.
Foster, et al., “A Theory of Type Qualifiers”, Programming Language Design and Implementation (PLDI'99), pp. 192-203, Atlanta, GA, May 1999.
Ganapathy, et al., “Buffer Overrun Detection Using Linear Programming and Static Analysis”, CCS '03, Oct. 27-30, 2003, Washington, DC.
Larus, et al., “Righting Software”, IEEE Software, May/Jun. 2004, pp. 92-100.
Lhee, et al., “Type-Assisted Dynamic Buffer Overflow Detection”, 11th USENIX Security Symposium, pp. 81-88, Aug. 2002.
Simon, et al., “Analyzing String Buffers in C”, International Conference on Algebraic Methodology and Software Technology, vol. 2422 of Lecture Notes in Computer Science (H. Krichner and C. Ringeissen, Eds.) (Springer), pp. 365-379, Sep. 2002.
Rugina, et al., “Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions”, ACM Transactions of Programming Languages and Systems, vol. 27, No. 2, pp. 185-234, 2005.
Xie, et al., “Archer: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors”, ESEC/FSE '03, Sep. 1-5, 2003, Helsinki, Finland.
Xu, et al., “An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs”, SIGSOFT '04/FSE-12, Oct. 31-Nov. 6, 2004, Newport Beach, CA.
Berg Ryan James
Danahy John J.
Gottlieb Robert
Peyton John
Rehbein Chris
Kiss Eric B.
Ounce Labs, Inc.
Wilmer Cutler Pickering Hale and Dorr LLP
LandOfFree
Method and system for detecting vulnerabilities in source code does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for detecting vulnerabilities in source code, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for detecting vulnerabilities in source code will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3782701