Static analysis of vulnerabilities in application packages

US 10,242,200 B1
Filed: 03/04/2016
Issued: 03/26/2019
Est. Priority Date: 03/06/2015
Status: Active Grant

First Claim

Patent Images

1. A method performed by one or more processors for statically analyzing an application package for vulnerabilities, the method comprising:

disassembling at least a portion of executable code for an application;

searching the disassembled code for a definition of a potentially-vulnerable function;

determining that the potentially-vulnerable function is defined and analyzing a portion of the disassembled code associated with the potentially-vulnerable function, wherein the analyzing comprises;

searching the disassembled code associated with the potentially-vulnerable function for executable instructions associated with a non-vulnerable implementation of the potentially-vulnerable function, anddetermining, based on an absence of the executable instructions that at least one vulnerability associated with the potentially-vulnerable function is present; and

based on the analysis, disabling the potentially-vulnerable function in the application and reporting a potential vulnerability in the potentially-vulnerable function.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are disclosed herein for analyzing computer programs for potential security vulnerabilities. In one computer-implemented embodiment of the disclosed technology, a method includes analyzing a package for an application (e.g., a mobile device application package) by disassembling at least a portion of executable code associated with the application, searching for a pattern associated with a potentially vulnerably function or method, and, if the function or method is defined, then analyzing disassembled code for the function to determine whether a vulnerability is present. In some examples, a number of packages are stored in an application store database and scanned periodically to statically analyze the package for vulnerabilities.

13 Citations

View as Search Results

17 Claims

1. A method performed by one or more processors for statically analyzing an application package for vulnerabilities, the method comprising:
- disassembling at least a portion of executable code for an application;
  
  searching the disassembled code for a definition of a potentially-vulnerable function;
  
  determining that the potentially-vulnerable function is defined and analyzing a portion of the disassembled code associated with the potentially-vulnerable function, wherein the analyzing comprises;
  
  searching the disassembled code associated with the potentially-vulnerable function for executable instructions associated with a non-vulnerable implementation of the potentially-vulnerable function, anddetermining, based on an absence of the executable instructions that at least one vulnerability associated with the potentially-vulnerable function is present; and
  
  based on the analysis, disabling the potentially-vulnerable function in the application and reporting a potential vulnerability in the potentially-vulnerable function.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising, if the searching does not find the function definition, then indicating that at least one vulnerability associated with the function is not present in the application.
  - 3. The method of claim 1, wherein the application package is an Android application package.
  - 4. The method of claim 1, wherein the disassembling is performed using at least one or more of the following tools:
    - apktool, baksmali, or dedexer.
  - 5. The method of claim 1, wherein the application package is stored in an application store accessible via the Internet.
  - 6. The method of claim 1, wherein:
    - the application package is stored in an application store accessible via the Internet;
      
      a plurality of applications are stored in the application store; and
      
      the method further comprises, for each one of a respective two or more of the plurality of applications, repeating the disassembling, the searching, and the analyzing.
  - 7. The method of claim 1, wherein the potentially-vulnerable function is associated with Secure Socket Layer (SSL) communication, wherein the method further comprises disabling SSL protocol for the application package.

8. One or more non-transitory computer-readable storage media storing computer-readable instructions that, when executed by a computer, cause the computer to perform a method, comprising:
- disassembling at least a portion of executable code for an application;
  
  searching the disassembled code for a definition of a potentially-vulnerable function;
  
  determining that the potentially-vulnerable function is defined in the disassembled portion of the executable code and analyzing the disassembled portion of the executable code, wherein the analyzing comprises;
  
  searching the disassembled portion of the executable code for executable instructions associated with a non-vulnerable implementation of the potentially-vulnerable function, anddetermining, based on an absence of the executable instructions that at least one vulnerability associated with the potentially-vulnerable function is present; and
  
  based on the analysis, disabling the potentially-vulnerable function of the application and reporting a potential vulnerability in the potentially-vulnerable function.

9. A system, comprising:
- memory;
  
  one or more processors couple to the memory;
  
  one or more non-transitory computer-readable media storing computer-readable instructions that, when executed by the processors, cause the processors to perform a method of statically analyzing an application package for vulnerabilities, the instructions comprising;
  
  instructions for a disassembler, the disassembler being configure to disassemble executable code;
  
  instructions for searching disassembled code for a definition of a potentially-vulnerable functioninstructions for, determining that the potentially-vulnerable function is defined and analyzing a portion of the disassembled code associated with the potentially-vulnerable function, wherein the analyzing comprises;
  
  searching the disassembled code associated with the potentially-vulnerable function for executable instructions associated with a non-vulnerable implementation of the potentially-vulnerable function, anddetermining, based on an absence of the executable instructions that at least one vulnerability associated with the potentially-vulnerable function is present; and
  
  instructions for disabling the potentially vulnerable function in the application based on the analysis and reporting a potential vulnerability in the potentially-vulnerable function.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the instructions further comprise:
    - instructions for, if the certain instructions are identified by the analyzing, then indicating that the at least one vulnerability associated with the potentially-vulnerable function is not present.
  - 11. The system of claim 9, wherein the instructions further comprise:
    - instructions for providing an application store accessible via a computer network.
  - 12. The system of claim 9, further comprising:
    - a database storing executable code for a plurality of application packages; and
      
      wherein the instructions further comprise, for two or more application packages of the plurality of application packages, instructions for periodically repeating execution of the instructions for;
      
      the disassembler, performing the searching, and performing the analyzing.
  - 13. The system of claim 9, wherein the instructions further comprise:
    - instructions for, based on the analyzing, preventing distribution of the application package.
  - 14. The system of claim 9, wherein the instructions further comprise:
    - instructions for determining whether the potentially-vulnerable function is associated with a security implementation; and
      
      based on the determining, disabling the potentially-vulnerable function.
  - 15. The system of claim 9, wherein the instructions for the disassembler comprise instructions for extracting at least one or more of the following:
    - a certificate associated with the application package;
      
      a digest associated with components of the application package;
      
      native compiled code;
      
      bytecode;
      
      a manifest in eXtensible Markup Language (XML) format;
      
      orcode compiled in dex format.
  - 16. The system of claim 9, wherein the instructions further comprise:
    - instructions for extracting function names from a symbol table of the application package.
  - 17. The system of claim 9, wherein the application package is a medical application, a home security application, a home automation application, or a smartphone application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Young, Craig
Primary Examiner(s)
Patel, Ashokkumar B
Assistant Examiner(s)
Jones, William B

Application Number

US15/061,880
Time in Patent Office

1,117 Days
Field of Search

726 25, 726 24
US Class Current
CPC Class Codes

G06F 16/9017   using directory or table lo...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Static analysis of vulnerabilities in application packages

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Static analysis of vulnerabilities in application packages

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links