Method and system for detecting vulnerabilities in source code

Data processing: software development – installation – and managem – Software program development tool – Testing or debugging

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C717S125000, C726S025000

Reexamination Certificate

active

07398517

ABSTRACT:
A method and system of detecting vulnerabilities in source code. Source code is parsed into an intermediate representation. Models (e.g., in the form of lattices) are derived for the variables in the code and for the variables and/or expressions used in conjunction with routine calls. The models are then analyzed in conjunction with pre-specified rules about the routines to determine if the routine call posses one or more of pre-selected vulnerabilities.

REFERENCES:
patent: 5440723 (1995-08-01), Arnold et al.
patent: 6343371 (2002-01-01), Flanagan et al.
patent: 6412071 (2002-06-01), Hollander et al.
patent: 6827009 (2004-12-01), Koivukunnas et al.
patent: 6973417 (2005-12-01), Maxwell, III et al.
patent: 7051322 (2006-05-01), Rioux
patent: 2003/0172293 (2003-09-01), Johnson et al.
patent: 2003/0182572 (2003-09-01), Cowan et al.
patent: 2004/0111713 (2004-06-01), Rioux
patent: 2004/0168078 (2004-08-01), Brodley et al.
patent: 2005/0015752 (2005-01-01), Alpern et al.
Aho, et al., “Principles of Compiler Design,” Addison-Wesley Publishing Co., Mar. 1978.
Ashcraft, et al., “Using Programmer-Written Compiler Extensions to Catch Security Holes”, IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
Banatre, et al., “Mechanical Proofs of Security Properties,” Institut de Recherche en Informatique et Systemes Aleatories, Centre National de la Recherche Scientifique (URA 227) Universite de Rennes 1, Insa de Rennes, France, ISSN 1166-8687, Publication Interne No. 825, May 1994.
Bishop and Dilger, “Checking for Race Conditions in File Accesses,” Computing Systems 9(2), pp. 131-152 (manuscript version: 20 pages) (1996).
Bush, et al., “A Static Analyzer for Finding Dynamic Programming Errors”, Software—Practice and Experience, vol. 30, No. 7, 2000.
Chess, et al., “Improving Computer Security Using Extended Static Checking,” IEEE Symposium on Security and Privacy (May 2002).
Chess, et al., “Static Analysis for Security,” IEEE Computer Society, IEEE Security and Privacy, 1540-7993 (2004).
Choi, et al., “Static Datarace Analysis for Multithreaded Object-Oriented Programs,” IBM, RC22146 (WO108-016), pp. 1-18 (Aug. 9, 2001).
Detlefs, et al., “Extended Static Checking,” Technical Report 159, Compaq Systems Research Center (1998).
Dijkstra, E.W., “Guarded Commands, Nondeterminacy and Formal Derivation of Programs,” Communications of the ACM, vol. 18, No. 8, pp. 453-457 (Aug. 1975).
Dor, et al., “CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C”, PLDI ′03, San Diego, California, Jun. 9-11, 2003.
Dor, et al., “Cleanness Checking of String Manipulations in C Programs via Integer Analysis”, 8th International Symposium on Static Analysis (SAS), pp. 194-212, Jul. 2001.
Evans and Larochelle, “Improving Security Using Extensible Lightweight Static Analysis,” IEEE Software, vol. 19, Issue 1, pp. 42-51, Jan.-Feb. 2002.
Foster, et al., “A Theory of Type Qualifiers”, Programming Language Design and Implementation (PLDI'99), pp. 192-203, Atlanta, GA, May 1999.
Frailey, D.J., “An Intermediate Language for Source and Target Independent Code Optimization,” ACM, 0-89791-002-8/79/0800-0188, pp. 188-200 (1979).
Ganapathy, et al., “Buffer Overrun Detection Using Linear Programming and Static Analysis”, CCS '03, Washington, DC, Oct. 27-30, 2003.
Gordon, et al., “Typing a Multi-Language Intermediate Code,” Technical Report MSR-TR-2000-106, Microsoft Research, Microsoft Corporation (Dec. 2000).
Haugh, et al., “Testing C Programs for Buffer Overflow Vulnerabilities”, Proceedings of the 2003 Symposium on Networked and Distributed System Security (SNDSS 2003), Feb. 2003.
Kiriansky, et al., “Secure Execution Via Program Shepherding,” 11th USENIX Security Symposium (Security '02), San Francisco, CA (Aug. 2002).
Larochelle and Evans, Statically Detecting Likely Buffer Overflow Vulnerabilities, Proceedings of the 2001 USENIX Security Symposium, Aug. 2001.
Larus, et al., “Righting Software”, , pp. 92-100, May/Jun. 2004.
Leino, et al., “Checking Java Program via Guarded Commands,” Technical Report 1999-02, Compaq Systems Research Center (May 1999).
Lhee, et al., “Type-Assisted Dynamic Buffer Overflow Detection”, 11th USENIX Security Symposium, pp. 81-88, Aug. 2002.
Macrakis, S., “From UNCOL to ANDF: Progress in Standard Intermediate Languages,” Open Software Foundation, macrakis@osf.org, pp. 1-18 (1993).
Pincus, J., “Steering the Pyramids—Tools, Technology, and Process in Engineering at Microsoft,” Microsoft Research (Oct. 5, 2002).
Rugina, et al., “Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions”, ACM Transactions of Programming Languages and Systems, vol. 27, No. 2, pp. 185-234, 2005.
Schneider, F.B., “Enforcable Security Policies,” ACM Transactions on Information and System Security, vol. 3, No. 1, pp. 30-50 (Feb. 2000).
Shankar, et al., “Detecting Format String Vulnerabilities with Type Qualifiers”, Proceedings of the 10th USENIX Security Symposium, Washington, DC, Aug. 2001.
Simon, et al., “Analyzing String Buffers in C”, International Conference on Algebraic Methodology and Software Technology (H. Krichner and C. Ringeissen, Eds.), vol. 2422 of Lecture Notes in Computer Science (Springer), pp. 365-379, Sep. 2002.
Sirer, et al., “An Access Control Language for Web Services,” SACMAT '02, Jun.3-4, 2002, Monterey, CA, ACM 1-58113-496-7/02/0006, pp. 23-30 (2002).
“Splint Manual,” Version 3.0.6, University of Virginia, pp. 1-119, Feb. 11, 2002.
Suzuki, et al., “Implementation of An Array Bound Checker,” Defense Advanced Research.
Projects Agency (Contract FF44620-73-C-0034), Air Force Office of Scientific Research (Contract DAHC-15-72-C-0308), University of Toyko Computation Center, pp. 132-143, 1997.
“The Java Language Environment,” White Paper, Sun Microsystems, Inc. (1997).
Viega, et al., “ITS4: A Static Vulnerability Scanner For C and C++ Code,” Proceedings Of The Annual Computer Security Applications Conference (2000).
Wagner, et al., “A First Step Toward Automated Detection of Buffer Overrun Vulnerabilities,” Proceedings of the Network Distributed System Security Symposium, University of California, Berkeley, Feb. 2000.
Xie, et al., “Archer: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors”, ESEC/FSE '03, Helsinki, Finland, Sep. 1-5, 2003.
Xu, et al., “An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs”, SIGSOFT '04/FSE-12, Newport Beach , CA, Oct. 31-Nov. 6, 2004.
Zovi, D.D., “Security Applications of Dynamic Binary Translation, Thesis,” The University of New Mexico (2002).

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Method and system for detecting vulnerabilities in source code does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Method and system for detecting vulnerabilities in source code, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for detecting vulnerabilities in source code will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-3965762

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.