Runtime analysis of software security vulnerabilities

US 10,140,456 B2
Filed: 06/08/2016
Issued: 11/27/2018
Est. Priority Date: 06/08/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising a program stored on a non-transitory computer-readable medium containing an executable set of instructions for detecting a vulnerability in a software application in a database system, the set of instructions operable to:

store defined vulnerabilities that identify operations in the software application vulnerable to the security risk and are each associated with one or more input tags and one or more sanitization tags;

receive by the software application in the database system a request from a user system;

at runtime of the application, assign one or more of the input tags to one or more objects associated with the request, wherein the input tags identify the request as potentially malicious and carrying a security risk;

at runtime of the application, assign one or more of the sanitization tags to the one or more objects associated with the request to indicate security checks performed on the objects;

at runtime of the application, compare the input tags assigned to the objects with any of the sanitization tags assigned to the objects; and

at runtime of the application, identify at least one of the defined vulnerabilities as a vulnerability in a part of the software application when the assigned input tag for an identified one of the objects matches the input tag associated with an identified one of the defined vulnerabilities, and one or more of the sanitization tags associated with the identified one of the defined vulnerabilities is not an assigned sanitization tag for the identified one of the objects; and

generating a report identifying the vulnerability in a part of the software application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

During runtime of the software application, the runtime analysis framework may assign input tags to objects associated with the user requests. The input tags may identify the requests as potentially malicious and carry a security risk. The RTA framework then may assign sanitization tags to the objects identifying security checks performed on the objects during runtime. The RTA framework identifies output responses to the user requests that include the objects and compares the input tags assigned to the objects with any sanitization tags assigned to the objects. The RTA framework may identify the software application as susceptible to a security vulnerability when the input tags for the objects do not include corresponding sanitization tags.

203 Citations

17 Claims

1. A computer program product comprising a program stored on a non-transitory computer-readable medium containing an executable set of instructions for detecting a vulnerability in a software application in a database system, the set of instructions operable to:
- store defined vulnerabilities that identify operations in the software application vulnerable to the security risk and are each associated with one or more input tags and one or more sanitization tags;
  
  receive by the software application in the database system a request from a user system;
  
  at runtime of the application, assign one or more of the input tags to one or more objects associated with the request, wherein the input tags identify the request as potentially malicious and carrying a security risk;
  
  at runtime of the application, assign one or more of the sanitization tags to the one or more objects associated with the request to indicate security checks performed on the objects;
  
  at runtime of the application, compare the input tags assigned to the objects with any of the sanitization tags assigned to the objects; and
  
  at runtime of the application, identify at least one of the defined vulnerabilities as a vulnerability in a part of the software application when the assigned input tag for an identified one of the objects matches the input tag associated with an identified one of the defined vulnerabilities, and one or more of the sanitization tags associated with the identified one of the defined vulnerabilities is not an assigned sanitization tag for the identified one of the objects; and
  
  generating a report identifying the vulnerability in a part of the software application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product of claim 1, further comprising instructions operable to assign an output tag to an output method generating a response to the request, wherein the output tag triggers the comparison of the input tags with any of the sanitization tags.
  - 3. The computer program product of claim 2, wherein the output method writes data associated with the objects to a web page, database, or file.
  - 4. The computer program product of claim 2, wherein the output method generates a hypertext transfer protocol (HTTP) response to the request.
  - 5. The computer program product of claim 1, further comprising instructions operable to generate a report identifying a method and a location in the software application identified as vulnerable to the security risk.
  - 6. The computer program product of claim 1, further comprising instructions operable to assign the input tags to the objects based on types of input methods receiving the request.
  - 7. The computer program product of claim 1, further comprising instructions operable to:
    - assign different types of sanitization tags to the objects based on different types of security checks performed on the objects; and
      
      identify the software application as vulnerable to the security risk based on a comparison of the input tags with the different types of sanitization tags assigned to the objects.
  - 8. The computer program product of claim 1, further comprising instructions operable to generate rules in bytecode of the software application, wherein the rules assign the input tags and assign the sanitization tags.

9. A system for detecting vulnerabilities in a software application operating in a database system, comprising:
- a processor; and
  
  memory storing one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  storing defined vulnerabilities that identify operations in the software application vulnerable to the security risk and are each associated with one or more input tags and one or more sanitization tags;
  
  assigning the one or more of the input tags to objects returned by input methods in the software application, wherein the input tags identify the objects as potentially malicious and security risks;
  
  assigning the one or more of the sanitization tags to the one or more objects associated with the request, wherein the sanitization tags identify security checks performed on the objects;
  
  comparing the input tags assigned to the objects with the sanitization tags assigned to the objects;
  
  identifying at least one of the defined vulnerabilities as a vulnerability in a part of the software application when the assigned input tag for an identified one of the objects matches the input tag associated with an identified one of the defined vulnerabilities, and one or more of the sanitization tags associated with the identified one of the defined vulnerabilities is not an assigned sanitization tag for the identified one of the objects; and
  
  generating a report identifying the vulnerability in a part of the software application.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the instructions further cause the processor to carry out the steps of assigning the input tags, assigning the sanitization tags, comparing the input tags with the sanitization tags, and identifying the vulnerability in a part of the software application during runtime of the software application.
  - 11. The system of claim 9, wherein the instructions further cause the processor to carry out the steps of assigning an output tag to an output method in the software application, wherein the output tag identifies the output method as a part of the software application potentially vulnerable to the security risk.
  - 12. The system of claim 11, wherein the instructions further cause the processor to carry out the steps of:
    - storing the defined vulnerabilities an associated one or more output tags; and
      
      identifying the vulnerability in the software application when the output tag associated with the defined vulnerability matches the assigned output tag for one of the objects, the input tag associated with the defined vulnerability matches the assigned input tag for a same one of the objects, and one or more of the sanitization tags associated with the defined vulnerability is not an assigned sanitization tag for the same one of the objects.
  - 13. The system of claim 11, wherein the output method writes data associated with the objects to a web page, database, or file.
  - 14. The system of claim 9, wherein the instructions further cause the processor to carry out the steps of adding bytecode to the software application, wherein the bytecode assigns the input tags, assigns the sanitization tags, compares the input tags with the sanitization tags, and identifies the vulnerability in a part of the software application.

15. A method for detecting a vulnerability in a software application in a database system, comprising:
- storing a defined vulnerability including an associated input event, at least one security event, and an output event;
  
  receiving by the software application in the database system a request from a user system;
  
  executing an input rule in the software application that identifies an input event for at least one object associated with the request;
  
  executing a sanitization rule in the software application that identifies a security event for a security operation performed on the object;
  
  executing an output rule in the software application that identifies an output event generating a response to the request;
  
  executing a vulnerability rule in the software application that identifies a vulnerability in a part of the software application based on a comparison of the input event associated with the defined vulnerability with the identified input event, a comparison of the security events associated with the defined vulnerability with the identified security event, and a comparison of the output event associated with the defined vulnerability with the identified output event; and
  
  generating a report identifying the vulnerability in a part of the software application.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising inserting bytecode into the software application that executes the input rule, the sanitization rule, and the vulnerability rule.
  - 17. The method of claim 15, wherein the input rule identifies the input event for an input method and the output rule identifies the output event for an output method.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gorbaty, Sergey, Safford, Travis, Wang, Xiaoran, Gluck, Yoel
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Corum, Jr., William A

Application Number

US15/176,963
Publication Number

US 20170357810A1
Time in Patent Office

902 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Runtime analysis of software security vulnerabilities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

203 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Runtime analysis of software security vulnerabilities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links