SYSTEM AND METHOD FOR ANALYZING MALICIOUS CODE USING A STATIC ANALYZER

US 20110307956A1
Filed: 06/09/2011
Published: 12/15/2011
Est. Priority Date: 06/11/2010
Status: Active Grant

First Claim

Patent Images

1. A system for analyzing computer code comprising:

a client device generating a data request for retrieving data from a non-trusted entity via a network; and

a gateway communicatively coupled to the client device and to the network, the gateway configured to receive computer code from the non-trusted entity via the network, build a tree representing the computer code, a node of the tree having a statement from the computer code, analyze the statement to identify symbol data describing a variable, the symbol data describing a name of the variable and a value of the variable, and store the symbol data in a symbol table.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table.

Citations

24 Claims

1. A system for analyzing computer code comprising:
- a client device generating a data request for retrieving data from a non-trusted entity via a network; and
  
  a gateway communicatively coupled to the client device and to the network, the gateway configured to receive computer code from the non-trusted entity via the network, build a tree representing the computer code, a node of the tree having a statement from the computer code, analyze the statement to identify symbol data describing a variable, the symbol data describing a name of the variable and a value of the variable, and store the symbol data in a symbol table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the gateway is further configured to determine context data describing a scope of the statement and storing the context data in a context table.
  - 3. The system of claim 2, wherein the symbol data stored in the symbol table is associated with the context data stored in the context table.
  - 4. The system of claim 1, wherein the gateway is further configured to embed a probe function in the node of the tree, detect the probe function and call a probe responsive to detecting the probe function in the node.
  - 5. The system of claim 1, wherein the gateway is further configured to determine whether the statement is a simple statement and execute the statement responsive to determining that the statement is the simple statement.
  - 6. The system of claim 5, wherein the simple statement includes one or more of a basic language operator applied to the variable and a function code intrinsic to a language in which the computer code is written.
  - 7. The system of claim 5, wherein the gateway is further configured to analyze the executed statement to identify modifications to the symbol data stored in the symbol table and update the symbol data stored in the symbol table responsive to analyzing the executed statement.
  - 8. The system of claim 2, wherein the gateway is further configured to determine whether the statement is a simple statement, execute the statement responsive to determining that the statement is the simple statement, analyze the executed statement to identify modifications to the symbol data stored in the symbol table and the context data stored in the context table, and update the symbol table and the context table.

9. A computer-implemented method for analyzing computer code comprising:
- receiving computer code from a non-trusted entity via a network;
  
  building a tree representing the computer code, a node of the tree having a statement from the computer code;
  
  walking to the node of the tree and analyzing the statement to identify symbol data describing a variable, the symbol data describing a name of the variable and a value of the variable; and
  
  storing the symbol data in a symbol table.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-implemented method of claim 9, further comprising determining context data describing a scope of the statement and storing the context data in a context table.
  - 11. The computer-implemented method of claim 10, wherein the symbol data stored in the symbol table is associated with the context data stored in the context table.
  - 12. The computer-implemented method of claim 9, further comprising embedding a probe function in the node of the tree, detecting the probe function and calling a probe responsive to detecting the probe function in the node.
  - 13. The computer-implemented method of claim 9, further comprising determining whether the statement is a simple statement and executing the statement responsive to determining that the statement is the simple statement.
  - 14. The computer-implemented method of claim 13, wherein the simple statement includes one or more of a basic language operator applied to the variable and a function code intrinsic to a language in which the computer code is written.
  - 15. The computer-implemented method of claim 13, further comprising analyzing the executed statement to identify modifications to the symbol data stored in the symbol table and updating the symbol table.
  - 16. The computer-implemented method of claim 10, further comprising:
    - determining whether the statement is a simple statement;
      
      executing the statement responsive to determining that the statement is the simple statement;
      
      analyzing the executed statement to identify modifications to the symbol data stored in the symbol table and the context data stored in the context table; and
      
      updating the symbol table and the context table.

17. A computer program product comprising a computer usable storage medium including a computer readable program, the computer readable program when executed by a processor causes the processor to:
- build a tree representing computer code, a node of the tree having a statement from the computer code;
  
  walk to the node of the tree and analyze the statement to identify symbol data describing a variable, the symbol data describing a name of the variable and a value of the variable; and
  
  store the symbol data in a symbol table.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product of claim 17, the computer readable program when executed by the processor further causing the processor to:
    - determine context data describing a scope of the statement; and
      
      store the context data in a context table.
  - 19. The computer program product of claim 18, wherein the symbol data stored in the symbol table is associated with the context data stored in the context table.
  - 20. The computer program product of claim 17, the computer readable program when executed by the processor further causing the processor to:
    - embed a probe function in the node of the tree;
      
      detect the probe function; and
      
      call a probe responsive to detecting the probe function in the node.
  - 21. The computer program product of claim 17, the computer readable program when executed by the processor further causing the processor to:
    - determine whether the statement is a simple statement; and
      
      execute the statement responsive to determining that the statement is the simple statement.
  - 22. The computer program product of claim 21, wherein the simple statement includes one or more of a basic language operator applied to the variable and a function code intrinsic to a language in which the computer code is written.
  - 23. The computer program product of claim 21, the computer readable program when executed by the processor further causing the processor to:
    - analyze the executed statement to identify modifications to the symbol data stored in the symbol table; and
      
      update the symbol table.
  - 24. The computer program product of claim 18, the computer readable program when executed by the processor further causing the processor to:
    - determine whether the statement is a simple statement;
      
      execute the statement responsive to determining that the statement is the simple statement;
      
      analyze the executed statement to identify modifications to the symbol data stored in the symbol table and the context data stored in the context table; and
      
      update the symbol table and the context table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
M86 Security Incorporated (Singapore Telecommunications Limited)
Inventors
Yermakov, Alexander, Kaplan, Mark

Granted Patent

US 9,081,961 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 40/154   Tree transformation for tre...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

SYSTEM AND METHOD FOR ANALYZING MALICIOUS CODE USING A STATIC ANALYZER

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ANALYZING MALICIOUS CODE USING A STATIC ANALYZER

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links