Computer system vulnerability analysis apparatus and method

US 10,185,616 B1
Filed: 12/21/2017
Issued: 01/22/2019
Est. Priority Date: 06/06/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method of determining vulnerability of a computing system, the method comprising:

identifying a component, addressable in the computing system, and decoding first addresses directed thereto controlling at least one of control and configuration of the component;

selecting second addresses as a subset of the first addresses; and

for each selected second address, performing the following steps;

selecting, the each selected second address as a target address,accessing the target address,determining that the accessing the target address causes a system failure, andremoving access to the target address.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods to evaluate computing systems'"'"' vulnerability implement a series of steps wherein a system may be selected, and a specific component identified. Obtaining component information may include methods for accessing its configuration address space. Creation of a list of control or configuration addresses is followed by filtering to identify documented, reserved addresses, documented reserved test addresses, and undocumented addresses. A filtered subset is tested by accessing each address contained in the subset, and verifying continuity of operation of the tested component, then accesses by reading, writing, or both to subset addresses to classify as benign to component and system. Failure may constitute data damage, component damage, system damage, component failure, or system failure.

9 Citations

View as Search Results

19 Claims

1. A computerized method of determining vulnerability of a computing system, the method comprising:
- identifying a component, addressable in the computing system, and decoding first addresses directed thereto controlling at least one of control and configuration of the component;
  
  selecting second addresses as a subset of the first addresses; and
  
  for each selected second address, performing the following steps;
  
  selecting, the each selected second address as a target address,accessing the target address,determining that the accessing the target address causes a system failure, andremoving access to the target address.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein:
    - the second address is at least one of documented reserved addresses, documented reserved test addresses, and undocumented addresses; and
      
      the documenting consequences further comprises associating the target address with the system failure.
  - 3. The method of claim 1, wherein the system failure is associated exclusively with the target address.
  - 4. The method of claim 1, wherein the target address is one of a register address, a memory address, and an input/output address, and the component is one of a physical component, a virtual component, a simulated component, and an emulated component.
  - 5. The method of claim 1, wherein accessing the target address comprises at least one of is made by one of reading, writing, both in sequence, and both in reverse sequence.
  - 6. The method of claim 1, comprising programming into the processor a verification instruction executable to test operability of at least one of the computing system and the component.

7. An article comprising a computer readable, non-transitory medium storing data structures comprising executables programmed to execute on a hardware processor and operational data processable by the executables, the data structures comprising:
- first code executable to identify a component, addressable in a computing system and effective to decode first addresses directed thereto for at least one of controlling and configuring the component;
  
  second code executable to select second addresses as a subset of the first addresses; and
  
  third code executable to perform, for each of the second addresses, selecting the each second address as a target address, accessing the target address, determining that the accessing the target address causes a system failure, and removing access to the target address.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The article of claim 7, wherein the target address is one of documented reserved addresses, documented reserved test addresses, and undocumented addresses.
  - 9. The article of claim 8, wherein the target address exclusively corresponds with the system failure.
  - 10. The article of claim 7, wherein the target address is found in at least one of a configuration address space of the component, addresses corresponding to at least one of an internal memory, internal register, input/output port of the component, reserved address, reserved test address, and undocumented address.
  - 11. The article of claim 10, comprising first code programmed to access a configuration address space specific to the component, identify the component, detect that the access has caused a system failure, and remove the access.
  - 12. The article of claim 11, comprising second code programmed to select the target address, extract a component access methods corresponding to the component, and implement the access method directed to the target address.
  - 13. The article of claim 11, further comprising a hardware processor external to the component and operably connected to the computer readable, non-transitory medium and effective to load and execute the first code and second code.

14. A system comprising:
- a processor instantiated in hardware operably connected in a computing system;
  
  a component addressable in the computer system;
  
  a configuration address space corresponding to the component, referencing at least one of an internal register, internal memory, and IP port, of the component;
  
  a computer-readable, non-transitory, storage medium operably connected to the processor;
  
  a set of instructions, executable to access the configuration address space;
  
  the set further comprising component access methods specific to the component, the set being effective to access second addresses selected from at least one of a reserved address, reserved test address, and undocumented address;
  
  the processor, programmed to detect a system failure corresponding to accessing at least one second addresses of the second addresses; and
  
  the processor, programmed to remove access to the at least one second address that caused the system failure.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the configuration space references at least one of an internal register, internal memory, and a port corresponding to the component.
  - 16. The system of claim 14, wherein the processor is programmed to classify consequences resulting from the accessing and correspond the consequences to the second addresses.
  - 17. The system of claim 14, wherein the accessing comprises at least one of:
    - reading from the configuration address space;
      
      writing to the configuration address space;
      
      writing to, followed by reading from, the configuration address space;
      
      reading from, followed by writing to, the configuration address space; and
      
      both reading from and writing to the configuration address space, with each of the reading and writing performed at least once.
  - 18. The system of claim 14, wherein the processor is operably connected as one of external to the component and embedded in the component, and the component is selected from a Super I/O, bridge, and other device connected by a bridge to the processor.
  - 19. The system of claim 14, comprising a north bridge, operably connected to the processor, a south bridge operably connected to the north bridge, a Super I/O operably connected to the south bridge;
    - individual devices operably connected to at least one of the north bridge, the south bridge, and the Super I/O, wherein the component is selected from the north bridge, the south bridge, the Super I/O, and the individual devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Phillip M. Adams
Original Assignee
Phillip M. Adams
Inventors
Adams, Phillip M.
Primary Examiner(s)
Pearson, David J

Application Number

US15/849,984
Time in Patent Office

397 Days
Field of Search

726 3
US Class Current
CPC Class Codes

G06F 11/0706   the processing taking place...

G06F 11/0751   Error or fault detection no...

G06F 11/079   Root cause analysis, i.e. e...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

Computer system vulnerability analysis apparatus and method

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system vulnerability analysis apparatus and method

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links