System and methods for automated detection of input and output validation and resource management vulnerability

US 10,354,074 B2
Filed: 06/24/2015
Issued: 07/16/2019
Est. Priority Date: 06/24/2014
Status: Active Grant

First Claim

Patent Images

1. A method executed by a physical computer comprising a processor within a system, the method comprising, by the processor:

as a process of a computer application executes at runtime;

analyzing a set of computer routines of the process, the analyzing including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set, the analyzing determining the likelihood of vulnerability including performing a simulation to cause at least one failure condition and observing response of the one or more computer routines to the simulation, the performed simulation injecting into the process, code that causes the at least one failure condition;

based upon the analysis, identifying the one or more computer routines of the set having the likelihood of vulnerability;

asynchronously and dynamically manipulating at least one of the one or more identified computer routines through a testing technique; and

determining unexpected behavior of the at least one of the one or more identified computer routines;

wherein analysis further includes at least one of;

extracting a histogram including a frequency of usage associated with at least one computer routine of the set;

a determination of size of one or more buffer read or write computer operations associated with the one or more identified computer routines;

a determination of size of one or more corresponding stacks associated with the one or more identified computer routines;

a determination of size of one or more memory read or write operations based upon examining at least one of a corresponding loop size; and

a taint analysis of at least one computer routine of the set.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example embodiment, a system analyzes a set of computer routines. The system may perform an analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set. Based upon the analysis, the system may identify one or more computer routines of the set having the likelihood of vulnerability. The system may asynchronously and dynamically manipulate at least one of the one or more computer routines through a testing technique. The system may determine unexpected behavior of at least one of the one or more computer routines.

178 Citations

22 Claims

1. A method executed by a physical computer comprising a processor within a system, the method comprising, by the processor:
- as a process of a computer application executes at runtime;
  
  analyzing a set of computer routines of the process, the analyzing including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set, the analyzing determining the likelihood of vulnerability including performing a simulation to cause at least one failure condition and observing response of the one or more computer routines to the simulation, the performed simulation injecting into the process, code that causes the at least one failure condition;
  
  based upon the analysis, identifying the one or more computer routines of the set having the likelihood of vulnerability;
  
  asynchronously and dynamically manipulating at least one of the one or more identified computer routines through a testing technique; and
  
  determining unexpected behavior of the at least one of the one or more identified computer routines;
  
  wherein analysis further includes at least one of;
  
  extracting a histogram including a frequency of usage associated with at least one computer routine of the set;
  
  a determination of size of one or more buffer read or write computer operations associated with the one or more identified computer routines;
  
  a determination of size of one or more corresponding stacks associated with the one or more identified computer routines;
  
  a determination of size of one or more memory read or write operations based upon examining at least one of a corresponding loop size; and
  
  a taint analysis of at least one computer routine of the set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21, 22)
- - 2. The method of claim 1, further comprising deploying one or more patches to correct the unexpected behavior of the at least one of the one or more identified computer routines.
  - 3. The method of claim 1, further comprising analyzing the set of computer routines and at least one corresponding sequence of computer routines of the set.
  - 4. The method of claim 1, wherein the one or more identified computer routines include at least one of:
    - a function and a system call.
  - 5. The method of claim 1, further comprising manipulating the at least one of the one or more identified computer routines by at least one of:
    - modifying data associated with the one or more identified computer routines, the data exceeding a corresponding buffer size; and
      
      modifying values that are declared in memory regions associated with the one or more identified computer routines.
  - 6. The method of claim 1, wherein determining unexpected behavior of at least one of the one or more identified computer routines includes determining that a control flow of a thread associated with the one or more identified computer routines has changed as a result of the manipulation, determining a failure condition that caused the thread to change its control flow, and displaying the failure condition.
  - 7. The method of claim 1, wherein, for at least one function of the one or more identified computer routines, the computer testing technique provides at least one of invalid, unexpected, and random data to at least one of an input of the at least one function, logic within the at least one function, and an output of the at least one function.
  - 8. The method of claim 1, wherein, for at least one system call of the one or more identified computer routines, the computer testing technique provides at least one of invalid, unexpected, and random data to a system call parameter associated with the at least one system call.
  - 9. The method of claim 8, wherein the system call parameter is associated with at least one of the following:
    - thread synchronization, process synchronization, thread scheduling, process scheduling, memory, memory allocation, memory de-allocation, memory writing, memory reading, a network socket, creation of a network socket, network socket input, network socket output, pipe creation, system input, system output, shared memory fifo creation, a terminal input, a terminal output, file handling, file creation, file writing, file reading, disk input, and disk output.
  - 21. The method of claim 1, wherein the performing the simulation to cause the at least one failure condition is based on negative testing and code exerciser testing.
  - 22. The method of claim 1, wherein the performing the simulation to cause the at least one failure condition is based upon a test in three states including a start state associated with the start of execution of the one or more identified computer routines, a middle state associated with execution of a middle or body of the one or more identified computer routines, and an end state associated with an end of execution of the one or more identified computer routines.

10. A system comprising:
- an analysis engine configured to;
  
  as a process of a computer application executes at runtime;
  
  perform an analysis of a set of computer routines of the process, the analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set, the analysis determining the likelihood of vulnerability including performing a simulation to cause at least one failure condition and observing response of the one or more computer routines to the simulation, the performed simulation injecting into the process, code that causes the at least one failure condition; and
  
  based upon the analysis, identify the one or more computer routines of the set having the likelihood of vulnerability; and
  
  a validation engine communicatively coupled to the analysis engine, the validation engine configured to;
  
  asynchronously and dynamically manipulate at least one of the one or more identified computer routines through a testing technique; and
  
  determine unexpected behavior of the at least one of the one or more identified computer routines;
  
  wherein the analysis engine is further configured to perform at least one of the following;
  
  extract a histogram including a frequency of usage associated with at least one computer routine of the set;
  
  determine a size of one or more buffer read or write computer operations associated with the one or more identified computer routines;
  
  determine a size of one or more corresponding stacks associated with the one or more identified computer routines;
  
  determine of a size of one or more memory read or write operations based upon examining a corresponding loop size; and
  
  perform a taint analysis of at least one computer routine of the set.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The system of claim 10, wherein the analysis engine is further configured to deploy one or more patches to correct the unexpected behavior of at least one of the one or more identified computer routines.
  - 12. The system of claim 10, wherein the analysis engine is further configured to analyze the set of computer routines and at least one corresponding sequence of computer routines of the set.
  - 13. The system of claim 10, wherein the one or more identified computer routines include at least one of:
    - a function and a system call.
  - 14. The system of claim 10, wherein the validation engine is further configured to manipulate the at least one of the one or more identified computer routines by at least one of:
    - modifying data associated with the one or more identified computer routines, the data exceeding a corresponding buffer size; and
      
      modifying values that are declared in memory regions associated with the one or more identified computer routines.
  - 15. The system of claim 10, wherein the analysis engine is further configured to determine the unexpected behavior of at least one of the one or more identified computer routines including:
    - determining that a control flow of a thread associated with the one or more identified computer routines has changed as a result of the manipulation of the validation engine, determining a failure condition that caused the thread to change its control flow, and displaying the failure condition.
  - 16. The system of claim 10, wherein the validation engine is further configured to asynchronously and dynamically manipulate the at least one of the one or more identified computer routines through the testing technique, and for at least one function of the one or more identified computer routines, the computer testing technique provides at least one of invalid, unexpected, and random data to at least one of an input of the at least one function, logic within the at least one function, and an output of the at least one function.
  - 17. The system of claim 10, wherein the validation engine is further configured to asynchronously and dynamically manipulate the at least one of the one or more identified computer routines through the testing technique, and for at least one system call of the one or more identified computer routines, the computer testing technique provides at least one of invalid, unexpected, and random data to a system call parameter associated with the at least one system call.
  - 18. The system of claim 17, wherein the system call parameter is associated with at least one of the following:
    - thread synchronization, process synchronization, thread scheduling, process scheduling, memory, memory allocation, memory de-allocation, memory writing, memory reading, a network socket, creation of a network socket, network socket input, network socket output, pipe creation, system input, system output, shared memory fifo creation, a terminal input, a terminal output, file handling, file creation, file writing, file reading, disk input, and disk output.
  - 19. The system of claim 10, wherein the analysis engine and the validation engine comprise a processor fabric including one or more processors.
  - 20. The system of claim 10, wherein the analysis engine, the validation engine, and an instrumentation engine comprise a processor fabric including one or more processors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virsec Systems, Inc.
Original Assignee
Virsec Systems, Inc.
Inventors
Gupta, Satya Vrat
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US15/318,429
Publication Number

US 20170132419A1
Time in Patent Office

1,483 Days
Field of Search

726 24
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 11/3672   Test management

G06F 11/3684   for test design, e.g. gener...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 8/65   Updates security arrangemen...

System and methods for automated detection of input and output validation and resource management vulnerability

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

178 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for automated detection of input and output validation and resource management vulnerability

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

178 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links